Description
The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 20240319 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2025-04-03
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Patch
AI Analysis

Impact

The vulnerability is a stored XSS flaw in the User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress. A flaw in the admin settings causes the plugin to store unsanitized input and subsequently output it without proper escaping. An attacker who has administrator‑level permissions and access to the plugin’s configuration can inject arbitrary JavaScript that will execute when any user visits a page containing the injected content. This could be used for phishing, session hijacking, or delivering malware to site visitors. The weakness is a classic example of input validation and output encoding failure (CWE‑79).

Affected Systems

WordPress sites running any version of the User Submitted Posts plugin up to and including 20240319. The issue only manifests on multi‑site installations and on installations where the unfiltered_html capability is turned off. Administrators or users with equivalent permissions who modify the plugin’s settings are the primary entry point.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity. The EPSS score of less than 1% suggests a very low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Because it requires an authenticated administrator account, the attack vector is an internal threat or an attacker who has gained privileged access. The exploit would involve logging into the site, navigating to the plugin’s admin settings, and injecting malicious code that will persist in stored posts and run on every page visit by any user who views those posts.

Generated by OpenCVE AI on April 21, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the User Submitted Posts plugin to version 20241026 or later. This version removes the input sanitization bug and properly escapes output.
  • Restrict access to the plugin’s admin settings to a minimal set of trusted administrators, and remove or reassign user roles that are not essential for managing the plugin.
  • Disable the plugin on multi‑site installations until the vulnerability can be addressed, or consider disabling multi‑site if it is not required for your environment.

Generated by OpenCVE AI on April 21, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9587 The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 20240319 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
History

Thu, 03 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 03 Apr 2025 07:30:00 +0000

Type Values Removed Values Added
Description The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 20240319 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title User Submitted Posts <= 20241026 - Authenticated (Admin+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:47.163Z

Reserved: 2025-03-27T14:51:27.637Z

Link: CVE-2025-2874

cve-icon Vulnrichment

Updated: 2025-04-03T19:10:30.598Z

cve-icon NVD

Status : Deferred

Published: 2025-04-03T08:15:16.470

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2874

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:30:45Z

Weaknesses