D.V4N_S3C

**Name of the Vulnerable Software and Affected Versions** User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration versions prior to 4.3.2 **Description** Insufficient input validation and type checking on the `wpuf files` parameter during form submission, combined with unconditional deserialization via the `maybe unserialize()` function when displaying post content, allows authenticated attackers with Subscriber-level access or higher to inject arbitrary PHP objects. This can lead to arbitrary code execution, deletion of arbitrary files, or other malicious actions if a POP (Property-Oriented Programming) chain—a sequence of gadgets used to execute code during deserialization—is present on the target system. **Recommendations** Update to a version newer than 4.3.1. As a temporary workaround, restrict access to the `wpuf files` parameter during form submissions to minimize the risk of exploitation.