プラットフォーム
wordpress
コンポーネント
wp-front-end-profile
修正版
1.3.9
CVE-2026-1644 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Frontend Profile plugin for WordPress. This flaw allows unauthenticated attackers to potentially manipulate user account registrations by tricking administrators into performing actions. The vulnerability impacts versions 0.0.0 through 1.3.8, and a patch is available in version 1.3.9.
The core of this vulnerability lies in the absence of proper nonce validation within the 'update_action' function of the plugin. A CSRF attack exploits this by crafting malicious requests that appear to originate from a legitimate user. An attacker could, for example, create a link containing a forged request to approve or reject a user registration. If an administrator clicks this link, the plugin will execute the request without verifying the user's authorization, potentially granting or denying access to a user account without their consent. This could lead to unauthorized account creation or denial of service for legitimate users attempting to register.
CVE-2026-1644 was publicly disclosed on 2026-03-06. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. The medium CVSS score reflects the potential for unauthorized account manipulation, but the requirement for administrator interaction limits the immediate exploitability.
WordPress websites utilizing the WP Frontend Profile plugin, particularly those with multiple administrators or shared administrative accounts, are at increased risk. Sites with lax security practices or those that haven't implemented robust user access controls are also more vulnerable.
• wordpress / composer / npm:
grep -r 'update_action' /var/www/html/wp-content/plugins/wp-frontend-profile/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'wp-frontend-profile'• wordpress / composer / npm:
wp plugin update wp-frontend-profile --alldisclosure
エクスプロイト状況
EPSS
0.01% (0% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-1644 is to immediately upgrade the WP Frontend Profile plugin to version 1.3.9 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests targeting the 'update_action' endpoint. Specifically, look for requests lacking proper CSRF tokens. Additionally, educate administrators about the risks of clicking on links from untrusted sources and encourage them to carefully review all actions before confirming them. Regularly scan your WordPress installation for outdated plugins using a security plugin.
バージョン 1.3.9、またはそれ以降の修正されたバージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-1644 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Frontend Profile WordPress plugin, allowing attackers to manipulate user registrations.
You are affected if you are using WP Frontend Profile versions 0.0.0 through 1.3.8. Upgrade to 1.3.9 or later to mitigate the risk.
Upgrade the WP Frontend Profile plugin to version 1.3.9 or later. Consider WAF rules as a temporary workaround if upgrading is not immediately possible.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the WP Frontend Profile plugin's official website or WordPress plugin repository for the latest security advisories and updates.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。