Home

Description

The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 20260113. This is due to the `usp_get_submitted_category()` function accepting user-submitted category IDs from the POST body without validating them against the admin-configured allowed categories stored in `usp_options['categories']`. This makes it possible for unauthenticated attackers to assign submitted posts to arbitrary categories, including restricted ones, by crafting a direct POST request with manipulated `user-submitted-category[]` values, bypassing the frontend category restrictions.

PUBLISHED Reserved 2026-02-06 | Published 2026-02-18 | Updated 2026-02-18 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-863 Incorrect Authorization

Product status

Default status
unaffected

* (semver)
affected

Timeline

2026-02-06:Vendor Notified
2026-02-17:Disclosed

Credits

M Indra Purnama finder

References

www.wordfence.com/...-5cc3-40b1-a15a-10d53383abe6?source=cve

plugins.trac.wordpress.org/...60113/user-submitted-posts.php

plugins.trac.wordpress.org/...60113/user-submitted-posts.php

plugins.trac.wordpress.org/...%2Ftrunk&sfp_email=&sfph_mail=

cve.org (CVE-2026-2126)

nvd.nist.gov (CVE-2026-2126)

Download JSON