CVE-2021-25076

Name of the Vulnerable Software and Affected Versions WP User Frontend WordPress plugin versions prior to 3.5.26

Description The issue arises from the lack of validation and escaping of the status parameter before it is used in a SQL statement in the Subscribers dashboard. This oversight can lead to an SQL injection. Additionally, due to the insufficient sanitisation and escaping, it could also result in Reflected Cross-Site Scripting.

Recommendations For versions prior to 3.5.26, update to version 3.5.26 or later to resolve the issue. As a temporary workaround, consider restricting access to the Subscribers dashboard to minimize the risk of exploitation. Avoid using the status parameter in the affected SQL statement until the issue is resolved.