9,000 WordPress Sites Affected by Arbitrary File Upload and Deletion Vulnerabilities in WP User Frontend Pro WordPress Plugin


📢 In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.  


On March 24th, 2025, we received a submission for an Arbitrary File Upload and an Arbitrary File Deletion vulnerability in WP User Frontend Pro, a WordPress plugin with an estimated 9,000 active installations. The arbitrary file upload vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. The arbitrary file deletion vulnerability can be used by authenticated attackers to delete arbitrary files, including the wp-config.php file, which can also make a site takeover possible.

Props to Foxyyy who discovered and responsibly reported these vulnerabilities through the Wordfence Bug Bounty Program. This researcher earned bounties of $273.00 and $142.00 for these discoveries. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.

All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting these vulnerabilities by the Wordfence firewall’s built-in Malicious File Upload and Directory Traversal protections.

We contacted the weDevs team on March 31, 2025, and received a response on April 7, 2025. After providing full disclosure details, the developer released a patch on June 3, 2025.

We urge users to update their sites with the latest patched version of WP User Frontend Pro, version 4.1.4 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

CVSS Rating
8.8 (High)
Affected Versions
<= 4.1.3
Patched Version
4.1.4
Bounty
$273.00
Affected Software
Affected Software Slug
Researcher

The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. Please note that this requires the ‘Private Message’ module to be enabled and the Business version of the PRO software to be in use.

CVSS Rating
8.1 (High)
Affected Versions
<= 4.1.3
Patched Version
4.1.4
Bounty
$142.00
Affected Software
Affected Software Slug
Researcher

The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_avatar_ajax() function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Technical Analysis : Arbitrary File Upload

WP User Frontend Pro is a WordPress membership plugin, which includes many premium features and functions.

Examining the code reveals that the plugin uses the message_send() function in the WPUF_Private_Message_Ajax class to send a message to another user, where it is also possible to attach a file, for which the plugin uses the upload_files() function.

public function message_send() {
    // Message data
    $text       = isset( $_POST['message'] ) ? sanitize_text_field( wp_unslash( $_POST['message'] ) ) : '';
    $user_id    = isset( $_POST['user_id'] ) ? intval( wp_unslash( $_POST['user_id'] ) ) : 0;
    $files      = isset( $_FILES['files'] ) ? wp_unslash( $_FILES['files'] ) : [];

    $attachment_ids = $this->upload_files( $files );
private function upload_files( $files ) {
    $total_file = isset( $files['name'] ) ? count( $files['name'] ) : 0;
    $attach_ids = [];
    // Upload files
    for ( $index = 0; $index < $total_file; $index++ ) {
        // Get file  name
        $file_name      = $files['name'][$index];
        $file_temp_name = $files['tmp_name'][$index];

        // Upload details
        $upload_dir = _wp_upload_dir();
        $image_data = file_get_contents( $file_temp_name );

        if ( wp_mkdir_p( $upload_dir['path'] ) ) {
            $file = $upload_dir['path'] . '/' . $file_name;
        } else {
            $file = $upload_dir['basedir'] . '/' . $file_name;
        }

        file_put_contents( $file, $image_data );

Unfortunately, the upload_files() function does not include any file type or extension checks in the vulnerable version. This means that not only image or document files can be uploaded, but it is also possible to upload files with a .php extension. The file is uploaded to the WordPress uploads folder, which is publicly accessible by default. This makes it possible for authenticated attackers to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.

As with all arbitrary file upload vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.

Please note that this vulnerability can only be exploited if the “Private Message” module is activated, which is disabled by default.

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

The firewall also blocks access to the file in the uploads folder:

Please note this protection only works if the “Disable Code Execution for Uploads directory” option is enabled in the Wordfence Global Options page. We strongly recommend all Wordfence users enable this option.

Technical Analysis : Arbitrary File Deletion

Examining the code reveals that the plugin uses the update_user_meta() function in the Profile_Form class to update several user meta.

The function contains the following code snippet to set the user avatar:

// set featured image if there's any
if ( isset( $postdata['wpuf_files']['avatar'] ) ) {
    $attachment_id = $postdata['wpuf_files']['avatar'][0];

    update_user_meta( $user_id, 'user_avatar', $attachment_id );
}

Unfortunately, the avatar parameter is not properly sanitized and is not limited to image files. This means that attackers can specify any file on the server when updating the storage location of their user avatar.

Further examining the code reveals that the plugin uses the delete_avatar_ajax() function in the Posting_Profile class to delete the user avatar.

function delete_avatar_ajax() {
    check_ajax_referer( 'wpuf_nonce' );
    $post_data = wp_unslash( $_POST );
    if ( isset( $post_data['user_id'] ) && ! empty( $post_data['user_id'] ) ) {
        $user_id = $post_data['user_id'];
    } else {
        $user_id = get_current_user_id();
    }
    $avatar = get_user_meta( $user_id, 'user_avatar', true );
    if ( $avatar ) {
        if ( absint( $avatar ) > 0 ) {
            wp_delete_attachment( $avatar, true );
        } else {
            $upload_dir = wp_upload_dir();
            $full_url = str_replace( $upload_dir['baseurl'], $upload_dir['basedir'], $avatar );
            if ( file_exists( $full_url ) ) {
                unlink( $full_url );

Unfortunately, the user avatar value is not properly validated or sanitized here either. This means that it deletes any previously specified file from the server.

This makes it possible for authenticated attackers with minimal access, like subscribers, to delete any arbitrary file on the server, including the site’s wp-config.php file. Deleting the wp-config.php forces the site into a setup state, allowing an attacker to take control by redirecting it to a database under their control. This ultimately provides access to the site’s server where further infection can take place.

The complete exploit process looks like this:

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

Disclosure Timeline

March 24, 2025 – We received submissions for both an Arbitrary File Upload vulnerability and an Arbitrary File Deletion vulnerability in WP User Frontend Pro via the Wordfence Bug Bounty Program.
March 31, 2025 – We validated the reports and confirmed the proof-of-concept exploits.
March 31, 2025 – We initiated contact with the plugin vendor asking them to confirm the inbox for handling the discussion.
April 7, 2025 – The vendor confirmed the inbox for handling the discussion.
April 7, 2025 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
June 3, 2025 – The fully patched version of the plugin, 4.1.4, was released.

Conclusion

In this blog post, we detailed an Arbitrary File Upload vulnerability, and an Arbitrary File Deletion vulnerability within the WP User Frontend Pro plugin affecting versions 4.1.3 and earlier. The Arbitrary File Upload vulnerability allows authenticated threat actors with subscriber-level permissions or higher to execute malicious code on the server. The Arbitrary File Deletion vulnerability allows authenticated threat actors with subscriber-level permissions or higher to delete arbitrary files, including the wp-config.php file, which can make site takeover possible. The vulnerabilities have been addressed in version 4.1.4 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of WP User Frontend Pro as soon as possible considering the critical nature of these vulnerabilities.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are fully protected against these vulnerabilities.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk.

The post 9,000 WordPress Sites Affected by Arbitrary File Upload and Deletion Vulnerabilities in WP User Frontend Pro WordPress Plugin appeared first on Wordfence.

Leave a Comment