CVE-2026-5127

Name of the Vulnerable Software and Affected Versions User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration versions prior to 4.3.2

Description Insufficient input validation and type checking on the wpuf files parameter during form submission, combined with unconditional deserialization via the maybe unserialize() function when displaying post content, allows authenticated attackers with Subscriber-level access or higher to inject arbitrary PHP objects. This can lead to arbitrary code execution, deletion of arbitrary files, or other malicious actions if a POP (Property-Oriented Programming) chain—a sequence of gadgets used to execute code during deserialization—is present on the target system.

Recommendations Update to a version newer than 4.3.1. As a temporary workaround, restrict access to the wpuf files parameter during form submissions to minimize the risk of exploitation.