CVE-2026-2233
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.8 - Missing Authorization to Unauthenticated Arbitrary Post Modification via 'post_id' ParameterThe User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draft_post() function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to modify arbitrary posts (e.g. unpublish published posts and overwrite the contents) via the 'post_id' parameter.
We have discovered 1,497 live websites that are affected by CVE-2026-2233.
Affected Software
| Product |  Wp User Frontend |
| Category | Wordpress Plugins |
| Vulnerable Domains | 1,497 live websites (99% of Wp User Frontend install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 49 versions ( 98% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - Mar 15, 2026
- Updated - Mar 16, 2026
Credits
- Supakiad S. (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-2233 United States | 453 websites |
 Germany | 131 websites |
 France | 101 websites |
 GB | 80 websites |
 Italy | 62 websites |
 Cyprus | 61 websites |
 Brazil | 57 websites |
 India | 51 websites |
 Japan | 33 websites |
 Netherlands | 27 websites |
Website Distribution by TLD
Number of websites using CVE-2026-2233| .com | 632 websites |
| .org | 117 websites |
| .de | 65 websites |
| .net | 57 websites |
| .it | 44 websites |
| .com.br | 42 websites |
| .fr | 39 websites |
| .co.uk | 36 websites |
| .nl | 24 websites |
| .ch | 19 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-2233
Top websites that are affected by CVE-2026-2233. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********************.com | United States | **,*** | |
| ***********.pl |  Poland | ***,*** | |
| ***.***.uk | United States | ***,*** | |
| **********.org | France | ***,*** | |
| ************.com | United States | ***,*** | |
| ***************.com | United States | ***,*** | |
| ********.com |  Canada | ***,*** | |
| ****.org |  Switzerland | ***,*** | |
| ***.***.py |  Paraguay | ***,*** | |
| ********.org | Italy | ***,*** |
FAQ
CVE-2026-2233 is Missing Authorization in Wp User Frontend
A total of 1,497 websites have been identified as vulnerable to CVE-2026-2233, based on global website indexing conducted by WebTechSurvey.
The Wp User Frontend is affected by the CVE-2026-2233 vulnerability.
Wp User Frontend versions up to and including 4.2.8 are vulnerable to CVE-2026-2233.