📢 In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.
On March 24th, 2025, we received a submission for an Arbitrary File Upload and an Arbitrary File Deletion vulnerability in WP User Frontend Pro, a WordPress plugin with an estimated 9,000 active installations. The arbitrary file upload vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. The arbitrary file deletion vulnerability can be used by authenticated attackers to delete arbitrary files, including the wp-config.php file, which can also make a site takeover possible.
Props to Foxyyy who discovered and responsibly reported these vulnerabilities through the Wordfence Bug Bounty Program. This researcher earned bounties of $273.00 and $142.00 for these discoveries. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting these vulnerabilities by the Wordfence firewall’s built-in Malicious File Upload and Directory Traversal protections.
We contacted the weDevs team on March 31, 2025, and received a response on April 7, 2025. After providing full disclosure details, the developer released a patch on June 3, 2025.
We urge users to update their sites with the latest patched version of WP User Frontend Pro, version 4.1.4 at the time of this writing, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Technical Analysis #1: Arbitrary File Upload
WP User Frontend Pro is a WordPress membership plugin, which includes many premium features and functions.
Examining the code reveals that the plugin uses the message_send()
function in the WPUF_Private_Message_Ajax
class to send a message to another user, where it is also possible to attach a file, for which the plugin uses the upload_files()
function.
public function message_send() { // Message data $text = isset( $_POST['message'] ) ? sanitize_text_field( wp_unslash( $_POST['message'] ) ) : ''; $user_id = isset( $_POST['user_id'] ) ? intval( wp_unslash( $_POST['user_id'] ) ) : 0; $files = isset( $_FILES['files'] ) ? wp_unslash( $_FILES['files'] ) : []; $attachment_ids = $this->upload_files( $files );
private function upload_files( $files ) { $total_file = isset( $files['name'] ) ? count( $files['name'] ) : 0; $attach_ids = []; // Upload files for ( $index = 0; $index < $total_file; $index++ ) { // Get file name $file_name = $files['name'][$index]; $file_temp_name = $files['tmp_name'][$index]; // Upload details $upload_dir = _wp_upload_dir(); $image_data = file_get_contents( $file_temp_name ); if ( wp_mkdir_p( $upload_dir['path'] ) ) { $file = $upload_dir['path'] . '/' . $file_name; } else { $file = $upload_dir['basedir'] . '/' . $file_name; } file_put_contents( $file, $image_data );
Unfortunately, the upload_files()
function does not include any file type or extension checks in the vulnerable version. This means that not only image or document files can be uploaded, but it is also possible to upload files with a .php
extension. The file is uploaded to the WordPress uploads folder, which is publicly accessible by default. This makes it possible for authenticated attackers to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.
As with all arbitrary file upload vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.
Please note that this vulnerability can only be exploited if the “Private Message” module is activated, which is disabled by default.
Wordfence Firewall
The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.
The firewall also blocks access to the file in the uploads folder:
Please note this protection only works if the “Disable Code Execution for Uploads directory” option is enabled in the Wordfence Global Options page. We strongly recommend all Wordfence users enable this option.
Technical Analysis #2: Arbitrary File Deletion
Examining the code reveals that the plugin uses the update_user_meta()
function in the Profile_Form
class to update several user meta.
The function contains the following code snippet to set the user avatar:
// set featured image if there's any if ( isset( $postdata['wpuf_files']['avatar'] ) ) { $attachment_id = $postdata['wpuf_files']['avatar'][0]; update_user_meta( $user_id, 'user_avatar', $attachment_id ); }
Unfortunately, the avatar
parameter is not properly sanitized and is not limited to image files. This means that attackers can specify any file on the server when updating the storage location of their user avatar.
Further examining the code reveals that the plugin uses the delete_avatar_ajax()
function in the Posting_Profile
class to delete the user avatar.
function delete_avatar_ajax() { check_ajax_referer( 'wpuf_nonce' ); $post_data = wp_unslash( $_POST ); if ( isset( $post_data['user_id'] ) && ! empty( $post_data['user_id'] ) ) { $user_id = $post_data['user_id']; } else { $user_id = get_current_user_id(); } $avatar = get_user_meta( $user_id, 'user_avatar', true ); if ( $avatar ) { if ( absint( $avatar ) > 0 ) { wp_delete_attachment( $avatar, true ); } else { $upload_dir = wp_upload_dir(); $full_url = str_replace( $upload_dir['baseurl'], $upload_dir['basedir'], $avatar ); if ( file_exists( $full_url ) ) { unlink( $full_url );
Unfortunately, the user avatar value is not properly validated or sanitized here either. This means that it deletes any previously specified file from the server.
This makes it possible for authenticated attackers with minimal access, like subscribers, to delete any arbitrary file on the server, including the site’s wp-config.php
file. Deleting the wp-config.php
forces the site into a setup state, allowing an attacker to take control by redirecting it to a database under their control. This ultimately provides access to the site’s server where further infection can take place.
The complete exploit process looks like this:
Wordfence Firewall
The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.
Disclosure Timeline
March 24, 2025 – We received submissions for both an Arbitrary File Upload vulnerability and an Arbitrary File Deletion vulnerability in WP User Frontend Pro via the Wordfence Bug Bounty Program.
March 31, 2025 – We validated the reports and confirmed the proof-of-concept exploits.
March 31, 2025 – We initiated contact with the plugin vendor asking them to confirm the inbox for handling the discussion.
April 7, 2025 – The vendor confirmed the inbox for handling the discussion.
April 7, 2025 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
June 3, 2025 – The fully patched version of the plugin, 4.1.4, was released.
Conclusion
In this blog post, we detailed an Arbitrary File Upload vulnerability, and an Arbitrary File Deletion vulnerability within the WP User Frontend Pro plugin affecting versions 4.1.3 and earlier. The Arbitrary File Upload vulnerability allows authenticated threat actors with subscriber-level permissions or higher to execute malicious code on the server. The Arbitrary File Deletion vulnerability allows authenticated threat actors with subscriber-level permissions or higher to delete arbitrary files, including the wp-config.php file, which can make site takeover possible. The vulnerabilities have been addressed in version 4.1.4 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of WP User Frontend Pro as soon as possible considering the critical nature of these vulnerabilities.
All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are fully protected against these vulnerabilities.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk.
The post 9,000 WordPress Sites Affected by Arbitrary File Upload and Deletion Vulnerabilities in WP User Frontend Pro WordPress Plugin appeared first on Wordfence.