CVE-2026-1296 - Vulnerability Details

- Frontend Post Submission Manager Lite <= 1.2.7 - Unauthenticated Open Redirect via 'requested_page' Parameter

Description

The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Open Redirection in all versions up to, and including, 1.2.7 due to insufficient validation on the 'requested_page' POST parameter in the verify_username_password function. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action such as clicking on a link.

Published: 2026-02-18

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Frontend Post Submission Manager Lite plugin for WordPress allows attackers to craft a request with a malicious 'requested_page' parameter, causing users who interact with the plugin to be redirected to arbitrary URLs. This opens the door to phishing, malware delivery, or other social-engineering attacks. The flaw is classified as a CWE‑601 Weakness in Input Validation.

Affected Systems

WordPress sites installing the Frontend Post Submission Manager Lite plugin, version 1.2.7 or earlier.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity and the EPSS score of less than 1 % suggests a low probability of automated exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Attackers would need to entice a user to interact with the plugin – for example, by sending a link that forces the plugin to process the request – but no authentication is required, making the threat realistic on sites where the plugin is active.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wpshuffle

Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin

unaffected

Version	Status	Constraints
`1.0.0`	affected	≤ 1.2.7

No data.

Vendor Product Confidence Versions

Wordpress

95%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Wpshuffle

Frontend Post Submission Manager Lite – Frontend Posting Wordpress Plugin

100%

Version	Status	Scheme	Platform
`[1.0.0,1.2.7]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Frontend Post Submission Manager Lite plugin to the latest release, which removes the vulnerable code.
If upgrade is not possible immediately, implement server-side validation that accepts only known safe URLs for the 'requested_page' parameter, effectively blocking arbitrary redirects.
Deploy a security plugin or web application firewall rule that detects and blocks open redirect patterns in plugin requests to mitigate the risk while a permanent fix is applied.

Generated by OpenCVE AI on April 17, 2026 at 18:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00335.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/tags/1.2.6/includes/classes/class-fpsml-shortcode.php#L108
https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/trunk/includes/classes/class-fpsml-shortcode.php#L108
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3458652%40frontend-post-submission-manager-lite&new=3458652%40frontend-post-submission-manager-lite&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/92c52129-7cf5-4a1b-80a1-b01140e6a72b?source=cve

History

Wed, 18 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 18 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Wpshuffle Wpshuffle frontend Post Submission Manager Lite – Frontend Posting Wordpress Plugin
Vendors & Products		Wordpress Wordpress wordpress Wpshuffle Wpshuffle frontend Post Submission Manager Lite – Frontend Posting Wordpress Plugin

Wed, 18 Feb 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Open Redirection in all versions up to, and including, 1.2.7 due to insufficient validation on the 'requested_page' POST parameter in the verify_username_password function. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action such as clicking on a link.
Title		Frontend Post Submission Manager Lite <= 1.2.7 - Unauthenticated Open Redirect via 'requested_page' Parameter
Weaknesses		CWE-601
References		https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/tags/1.2.6/includes/classes/class-fpsml-shortcode.php#L108 https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/trunk/includes/classes/class-fpsml-shortcode.php#L108 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3458652%40frontend-post-submission-manager-lite&new=3458652%40frontend-post-submission-manager-lite&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/92c52129-7cf5-4a1b-80a1-b01140e6a72b?source=cve
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

Wpshuffle Frontend Post Submission Manager Lite – Frontend Posting Wordpress Plugin

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-18T04:35:43.878Z

Updated: 2026-02-18T20:47:37.114Z

Reserved: 2026-01-21T17:14:51.411Z

Link: CVE-2026-1296

Vulnrichment

Updated: 2026-02-18T20:47:34.176Z

NVD

Status : Deferred

Published: 2026-02-18T05:16:25.490

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1296

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T19:00:11Z

Weaknesses

CWE-601

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object