What is GHSA-phqc-jwcv-qpxf?

GHSA-phqc-jwcv-qpxf is a security advisory published by GitHub Security Advisories with Medium severity. The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership \u0026 User...

Which CVE IDs does GHSA-phqc-jwcv-qpxf cover?

GHSA-phqc-jwcv-qpxf covers the following CVE IDs: CVE-2026-4058. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-phqc-jwcv-qpxf?

GHSA-phqc-jwcv-qpxf has a CVSS v3 base score of 4.3, published by GitHub Security Advisories.

GHSA-phqc-jwcv-qpxfMediumCVSS 4.3

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User...

Vendor

GitHub Security Advisories

Published

June 9, 2026

Last Modified

June 9, 2026

🔗 CVE IDs covered (1)

CVE-2026-4058 →

📋 Description

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_subscription_cancel() function in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel any user's subscription pack, including administrators.

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-4058
https://plugins.trac.wordpress.org/changeset/3528244
https://www.wordfence.com/threat-intel/vulnerabilities/id/ffdf34bb-a887-444c-8a76-12901fed6662?source=cve
https://github.com/advisories/GHSA-phqc-jwcv-qpxf