Get Started

WordPress: Arbitrary File Deletion via delete_avatar_ajax in WP User Frontend Pro Plugin

by the Hossted team
05.06.2025

In WP User Frontend Pro plugin for WordPress versions up to and including 4.1.3 a high severity vulnerability CVE-2025-3055 was detected. This vulnerability allows authenticated users with Subscriber access or higher to delete arbitrary server files via the delete_avatar_ajax() function, potentially leading to remote code execution if critical files like wp-config.php are removed. To address this issue, users should upgrade WP User Frontend Pro plugin to versions 4.1.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3055.

Related articles
OSSpedia
OSSpedia 19 Feb 2025 WordPress: Insecure Direct Object Reference in Education Addon for Elementor Plugin Business and Enterprise Solutions CMS WOR
OSSpedia 19 Feb 2025 WordPress: Cross-Site Request Forgery Vulnerability in DeBounce Email Validator Plugin Business and Enterprise Solutions CMS WOR
OSSpedia 19 Feb 2025 WordPress: Unauthorized Access Vulnerability in Raptive Ads Plugin Business and Enterprise Solutions CMS WOR
OSSpedia 11 Mar 2025 WordPress: Stored XSS Vulnerability in Countdown Timer Plugin Business and Enterprise Solutions CMS WOR