anonhaven
Ad

CVE-2026-1644

MEDIUM CVSS 3.1: 4.3
Updated Mar 07, 2026
WordPress
Parameter Value
CVSS 4.3 (MEDIUM)
Type CWE-352 (Cross-Site Request Forgery (CSRF) (Подделка межсайтовых запросов))
Vendor WordPress
Public PoC No

The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'update_action' function. This makes it possible for unauthenticated attackers to approve or reject user account registrations via a forged request granted they can trick an administrator into performing an action such as clicking on a link.

Attack Parameters

Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Privileges Required
None
Права не нужны
User Interaction
Required
Нужно действие пользователя

Impact Assessment

Confidentiality
None
Нет утечки данных
Integrity
Low
Частичная модификация данных
Availability
None
Нет нарушения работы

CVSS Vector v3.1

Weakness Type (CWE)

CWE-352 Cross-Site Request Forgery (CSRF) (Подделка межсайтовых запросов)

References 4

https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.8/func…
security@wordfence.com
https://plugins.trac.wordpress.org/browser/wp-front-end-profile/trunk/functions…
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&ol…
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/74b186fd-5825-4a20-82…
security@wordfence.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-2433

WordPress

6.1

CVE-2026-2420

WordPress

4.4

CVE-2026-1825

WordPress

6.4

CVE-2026-1824

WordPress

6.4

CVE-2026-1823

WordPress

6.4