cleantalk
Vulnerabilities and Security Researches

WP Frontend Profile, 3c4372b76b1d274bdbd4efc646638599918abb3b

CVE, Research URL

3c4372b76b1d274bdbd4efc646638599918abb3b

Home page URL

Security reports for WP Frontend Profile

Application

WP Frontend Profile

Published on
May 19, 2020
Research Description
WP Frontend Profile [wp-front-end-profile] < 1.2.2 WP Frontend Profile <= 1.2.1 - Cross-Site Request Forgery The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation in the wpfep_save_password() function found in the 'wp-frontend-profile/functions/save-fields.php' file. This makes it possible for unauthenticated attackers to change the passwords of other users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 1.2.2.
Status
vulnerable
Previous vulnerability researches
WP Frontend Profile (CVE-2023-51483) , Jun 10, 2024
WP Frontend Profile (CVE-2019-15111) , Jun 10, 2024
WP Frontend Profile (CVE-2019-15110) , Jun 10, 2024
WP Frontend Profile (CVE-2026-1644) , Apr 15, 2026
WP Frontend Profile (CVE-2022-4974) , Nov 16, 2024
New vulnerability
WP Go Maps (formerly WP Google Maps) (CVE-2026-12238) , Jun 20, 2026
Media Library Assistant (CVE-2026-56012) , Jun 20, 2026
MStore API (CVE-2026-54817) , Jun 20, 2026
Bricksable for Bricks Builder (CVE-2026-56009) , Jun 20, 2026
Offload, AI &amp; Optimize with Cloudflare Images (CVE-2026-9860) , Jun 20, 2026