CVE-2026-12406 User Frontend <= 4.3.7 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion via 'attach_id' Parameter
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.7. This is due to the plugin not properly verifying that a user is authorized to perform an...