Description
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Jeff Starr User Submitted Posts user-submitted-posts allows Phishing.This issue affects User Submitted Posts: from n/a through <= 20251121.
Published: 2025-12-24
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to craft a URL that, when redirected by the User Submitted Posts plugin, directs site visitors to an untrusted site. This can be used to phishing attacks or to spread malware by exploiting user trust. The weakness is an open URL redirection flaw where input is not validated and can be exploited with minimal effort once embedded in a user‑submittable field.

Affected Systems

Jeff Starr’s User Submitted Posts plugin for WordPress is impacted. All releases through and including version 20251121 contain the flaw. The issue arises when the plugin processes user‑submitted content that includes a redirect link.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate overall severity. The EPSS score of less than 1% suggests this is not a common or actively exploited vulnerability at present, and it is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote; an attacker can supply malicious content via the public submission form, causing the plugin to redirect a visitor to a malicious domain. Exploitation requires that a user visits the targeted post, so it relies on social engineering rather than on privileged access or exploitation of low‑level system flaws.

Generated by OpenCVE AI on April 29, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the User Submitted Posts plugin to a version newer than 20251121.
  • If an immediate upgrade is impossible, disable or remove the feature that allows external URLs in user submissions, or configure the plugin to restrict redirects to the site’s own domain.
  • Thoroughly review the plugin configuration to ensure that any retained redirection capability is tightly controlled or purged of external link support.

Generated by OpenCVE AI on April 29, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 29 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 24 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Dec 2025 12:45:00 +0000

Type Values Removed Values Added
Description URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Jeff Starr User Submitted Posts user-submitted-posts allows Phishing.This issue affects User Submitted Posts: from n/a through <= 20251121.
Title WordPress User Submitted Posts plugin <= 20251121 - Open Redirection vulnerability
Weaknesses CWE-601
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:28.876Z

Reserved: 2025-12-19T10:16:51.230Z

Link: CVE-2025-68509

cve-icon Vulnrichment

Updated: 2025-12-24T19:11:37.651Z

cve-icon NVD

Status : Deferred

Published: 2025-12-24T13:16:20.777

Modified: 2026-04-27T19:16:26.573

Link: CVE-2025-68509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T15:45:14Z

Weaknesses