CVE-2021-25076

Summary

The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting

Affected Software

VendorProductVersion RangeStatus
UnknownWP User Frontend – Membership, Profile, Registration & Post Submission Plugin for WordPress3.5.26 < 3.5.26affected

Weaknesses

  • CWE-89: CWE-89 SQL Injection

ADP Enrichment

CVE Program Container

Additional References

References