CVE-2025-3054

Name of the Vulnerable Software and Affected Versions WP User Frontend Pro plugin for WordPress versions up to, and including, 4.1.3

Description The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload files() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible. The 'Private Message' module must be enabled and the Business version of the PRO software must be in use for this vulnerability to be exploited.

Recommendations For WP User Frontend Pro plugin for WordPress versions up to, and including, 4.1.3: As a temporary workaround, consider disabling the upload files() function until a patch is available. Restrict access to the 'Private Message' module to minimize the risk of exploitation. Avoid using the plugin with the Business version of the PRO software until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.