Vulnerabilities and security researches forwpfront-user-role-editor wpfront-user-role-editor

Oct 12, 2025

CVE, Research URL: CVE-2025-60102
Home page URL: Security reports for WPFront User Role Editor
Application: WPFront User Role Editor
Date: Sep 26, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syam Mohan WPFront User Role Editor allows Stored XSS. This issue affects WPFront User Role Editor: from n/a through 4.2.3.
Affected versions: max 4.2.4.
Status: vulnerable

Apr 09, 2025

CVE, Research URL: CVE-2025-3064
Home page URL: Security reports for WPFront User Role Editor
Application: WPFront User Role Editor
Date: Apr 08, 2025
Research Description: The WPFront User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.1. This is due to missing or incorrect nonce validation on the whitelist_options() function. This makes it possible for unauthenticated attackers to update the default role option that can be leveraged for privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is only exploitable on multisite instances.
Affected versions: max 4.2.2.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2024-2931
Home page URL: Security reports for WPFront User Role Editor
Application: WPFront User Role Editor
Date: Apr 02, 2024
Research Description: The WPFront User Role Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.1.11184 via the wpfront_user_role_editor_assign_roles_user_autocomplete AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract retrieve a list of all user email addresses who are registered on the site.
Affected versions: max 4.1.0.
Status: vulnerable

CVE, Research URL: CVE-2021-24984
Home page URL: Security reports for WPFront User Role Editor
Application: WPFront User Role Editor
Date: Dec 27, 2021
Research Description: The WPFront User Role Editor WordPress plugin before 3.2.1.11184 does not sanitise and escape the changes-saved parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting
Affected versions: max 3.2.1.11184.
Status: vulnerable