Description
The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 20260113. This is due to the `usp_get_submitted_category()` function accepting user-submitted category IDs from the POST body without validating them against the admin-configured allowed categories stored in `usp_options['categories']`. This makes it possible for unauthenticated attackers to assign submitted posts to arbitrary categories, including restricted ones, by crafting a direct POST request with manipulated `user-submitted-category[]` values, bypassing the frontend category restrictions.
Published: 2026-02-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated category assignment bypass
Action: Immediate Patch
AI Analysis

Impact

The User Submitted Posts plugin for WordPress fails to validate user‑supplied category identifiers against the administrator‑configured allowed list. As a result, anyone can supply arbitrary category IDs in a crafted POST request and force posts to be assigned to restricted or otherwise disallowed categories. The flaw does not provide direct code execution or database disclosure, but it undermines content integrity, enabling stealthy publication or defacement within protected sections.

Affected Systems

WordPress sites that use any version of the User Submitted Posts – Enable Users to Submit Posts from the Front End plugin up to and including release 20260113. The affected component is the front‑end submission handler that processes the 'user-submitted-category[]' field.

Risk and Exploitability

The CVSS v3.1 score of 5.3 signals moderate severity. The EPSS score is below 1%, indicating a low probability of active exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw by sending a direct HTTP POST containing crafted 'user-submitted-category[]' values to the plugin’s category retrieval endpoint. Because the flaw is purely an authorization issue that can be exercised without authentication, the exploitation pathway is straightforward but currently rarely observed.

Generated by OpenCVE AI on April 16, 2026 at 00:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the User Submitted Posts plugin to any release newer than 20260113, which contains the missing authorization check for category assignment.
  • If a rapid update is not feasible, block or sanitize the 'user-submitted-category[]' parameter using a web application firewall or by adding a modest filter in the theme’s functions.php to reject requests that include category IDs not present in the plugin’s allowed list.
  • After addressing the authorization flaw, audit the site’s publicly visible content to identify any posts that may have been assigned to restricted categories by attackers and take corrective action.

Generated by OpenCVE AI on April 16, 2026 at 00:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Specialk
Specialk user Submitted Posts – Enable Users To Submit Posts From The Front End
Wordpress
Wordpress wordpress
Vendors & Products Specialk
Specialk user Submitted Posts – Enable Users To Submit Posts From The Front End
Wordpress
Wordpress wordpress

Wed, 18 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 09:30:00 +0000

Type Values Removed Values Added
Description The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 20260113. This is due to the `usp_get_submitted_category()` function accepting user-submitted category IDs from the POST body without validating them against the admin-configured allowed categories stored in `usp_options['categories']`. This makes it possible for unauthenticated attackers to assign submitted posts to arbitrary categories, including restricted ones, by crafting a direct POST request with manipulated `user-submitted-category[]` values, bypassing the frontend category restrictions.
Title User Submitted Posts <= 20260113 - Incorrect Authorization to Unauthenticated Category Restriction Bypass via 'user-submitted-category' Parameter
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Specialk User Submitted Posts – Enable Users To Submit Posts From The Front End
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:44.750Z

Reserved: 2026-02-06T18:37:48.354Z

Link: CVE-2026-2126

cve-icon Vulnrichment

Updated: 2026-02-18T12:26:22.237Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T10:16:15.173

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:45:15Z

Weaknesses