CVE-2025-3055 in WP User Frontend Pro Plugininfo

Summary

by MITRE • 06/05/2025

The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_avatar_ajax() function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Reservation

03/31/2025

Disclosure

06/05/2025

Moderation

accepted

Entry

VDB-311194

CPE

ready

CWE

CWE-404 (confirmed)

CVSS

6.5 (VulDB)

EPSS

0.05635

KEV

Activities

very low

Sector

Hostingprovider

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2025-3055
NVD	https://nvd.nist.gov/vuln/detail/CVE-2025-3055
CVE Details	https://www.cvedetails.com/cve/CVE-2025-3055/

◂ Previous Overview Next ▸

Want to know what is going to be exploited?

We predict KEV entries!