WP User Frontend Pro Plugin Vulnerabilities - CVE-2025-3055 and CVE-2025-3054

Are you using the WP User Frontend Pro plugin? If yes, please update it immediately.

Today(04/06/2025), two vulnerabilities in the WP User Frontend Pro plugin have been discovered.

CVE-2025-3054 allows for arbitrary file uploads to anyone who has at least subscriber access. This means that if you have registrations enabled on your website, anyone can register as a subscriber and upload any files to your server(for example, malicious files or mining scripts).

CVE-2025-3055 allows for arbitrary file deletion to anyone with at least subscriber access. This is super critical, same as the above vulnerability, as it means that anyone can register on your site if you have registrations enabled, and then delete any file(s) from your server.

Please update the plugin to the latest version(4.1.4).

If you need help, feel free to reach out, or check out my WP maintenance, malware removal, and other services.