cleantalk
Vulnerabilities and Security Researches

WP Frontend Profile, CVE-2026-1644

CVE, Research URL

CVE-2026-1644

Home page URL

Security reports for WP Frontend Profile

Application

WP Frontend Profile

Published on
Mar 07, 2026
Research Description
The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'update_action' function. This makes it possible for unauthenticated attackers to approve or reject user account registrations via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Affected versions
max 1.3.9.
Status
vulnerable
Previous vulnerability researches
Simple GDPR Cookie Compliance (CVE-2026-24604) , Jan 27, 2026
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2019-25143) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (7d5b4ba83a5c6004460bf267fe534a359e1416b0) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2023-4013) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2025-1621) , Mar 14, 2025
New vulnerability
WP Google Ad Manager Plugin (CVE-2026-1399) , Apr 15, 2026
WP Social Meta (CVE-2026-2498) , Apr 15, 2026
Allow HTML in Category Descriptions (CVE-2026-0693) , Apr 15, 2026
Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display G (CVE-2026-1916) , Apr 15, 2026
s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscription (CVE-2026-1994) , Apr 15, 2026