The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration WordPress plugin suffers from a deserialization of untrusted data vulnerability (CWE-502) in versions up to 4.3.1. The issue stems from inadequate validation and type checking of the wpuf_files parameter during form submission combined with unconditional deserialization via maybe_unserialize() when rendering post content. Authenticated attackers with Subscriber-level privileges or higher can exploit this to inject arbitrary PHP objects, potentially enabling arbitrary code execution, file deletion, or other malicious actions if a gadget chain is present on the system. The CVSS 3.1 score is 8.8 (high severity), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. No official patch or vendor advisory detailing remediation is currently available.

Successful exploitation allows authenticated users with Subscriber-level access or above to execute arbitrary PHP code, delete arbitrary files, or perform other malicious actions on the affected system. This can compromise the confidentiality, integrity, and availability of the WordPress site and potentially the underlying server environment. The vulnerability is exploitable remotely over the network without user interaction, increasing its risk.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Subscriber-level access to trusted users only and consider disabling or limiting the use of the vulnerable plugin. Monitor for updates from the vendor and apply patches promptly once available.