CVE-2025-58673 MEDIUM

CVE-2025-58673: WordPress WP User Frontend Plugin <= 4.1.12 - Content Injection Vulnerability

Vendor Wedevs
Product WP User Frontend
Weakness CWE-94 · Code injection
Published September 22, 2025
Last update May 12, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Improper Control of Generation of Code ('Code Injection') vulnerability in weDevs WP User Frontend wp-user-frontend allows Code Injection.This issue affects WP User Frontend: from n/a through <= 4.1.12.

Explanation of Vulnerability in Simple Terms

02Summary

WP User Frontend versions up to 4.1.12 contain a code injection vulnerability that allows authenticated users with low privileges to inject and execute arbitrary code. An attacker can read sensitive data or modify site content. Update to a version newer than 4.1.12 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Inject and execute arbitrary code to read sensitive data or modify site content.

Potential impact on your site

04Site Impact

Authenticated attackers can compromise site data integrity and confidentiality without admin access.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

September 22, 2025 CVE published
May 12, 2026 Record updated