cleantalk
Vulnerabilities and Security Researches

WP Frontend Profile, CVE-2026-1644

CVE, Research URL

CVE-2026-1644

Home page URL

Security reports for WP Frontend Profile

Application

WP Frontend Profile

Published on
Mar 07, 2026
Research Description
The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'update_action' function. This makes it possible for unauthenticated attackers to approve or reject user account registrations via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Affected versions
max 1.3.9.
Status
vulnerable
Previous vulnerability researches
WP RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging (CVE-2024-9583) , Oct 23, 2024
WP RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging (CVE-2025-14745) , Jan 28, 2026
WP RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging (CVE-2025-14375) , Jan 28, 2026
WP RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging (CVE-2024-4860) , Jun 07, 2024
WP RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging (CVE-2022-0189) , Jun 07, 2024
New vulnerability
Collect.chat – Chatbot ⚡️ (CVE-2026-0736) , Apr 15, 2026
SQL Chart Builder (CVE-2026-4079) , Apr 15, 2026
FastDup – Fastest WordPress Migration & Duplicator (CVE-2026-1104) , Apr 15, 2026
Timeline Block (CVE-2026-1228) , Apr 15, 2026
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress (CVE-2026-3180) , Apr 15, 2026