Amr Khaled

**Name of the Vulnerable Software and Affected Versions** WPFront User Role Editor plugin for WordPress versions up to, and including, 3.2.1.11184 **Description** The issue allows authenticated attackers with subscriber-level access and above to extract a list of all user email addresses registered on the site. This is possible via the "wpfront user role editor assign roles user autocomplete" AJAX action. **Recommendations** For versions up to, and including, 3.2.1.11184, consider disabling the `wpfront user role editor assign roles user autocomplete` AJAX action until a patch is available. Restrict access to this action to minimize the risk of exploitation. Avoid using the `wpfront user role editor assign roles user autocomplete` action in the affected plugin until the issue is resolved.