Capability Check Omission Enables Subscription Cancellation in User Frontend 4.3.2
CVE-2026-4058 Published on June 9, 2026
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.2 - Missing Authorization to Authenticated (Subscriber+) Subscription Pack Cancellation
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_subscription_cancel() function in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel any user's subscription pack, including administrators.
Timeline
Discovered
Vendor Notified 16 days later.
Disclosed 88 days later.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-4058 has been classified to as an AuthZ vulnerability or weakness.
Affected Versions
wedevs User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration:- Before and including 4.3.2 is affected.