Description
The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.
Published: 2026-06-29
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the F4 Post Tree WordPress plugin allows any authenticated user with Subscriber-level access or higher to change the parent and menu order of any post without performing a capability check or CSRF/nonce verification. It is inferred that by submitting an Ajax request to the vulnerable action the attacker can reorder posts or move children between different parent posts, potentially altering the site’s structure and presentation of content.

Affected Systems

WordPress sites running the F4 Post Tree plugin, version 2.0.4 or earlier, are impacted. The issue resides in the plugin’s Ajax endpoint which is enabled for both Subscribers and higher roles.

Risk and Exploitability

The CVSS score is 4.3, the EPSS score is less than 1%, and the vulnerability is not listed in CISA KEV. However, the risk remains significant because the attacker only needs a legitimate Subscriber account and can act without additional authentication steps. It is inferred that the lack of CSRF protection may allow the exploit to be performed from a malicious Web page or automated script if the user is logged in. Given the potential to disrupt site navigation or manipulate marketing content, the overall risk is high for any site using the affected plugin version.

Generated by OpenCVE AI on June 29, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the F4 Post Tree plugin to version 2.0.5 or later, which implements proper capability checks and CSRF validation for the Ajax action.
  • Verify role permissions for Subscriber accounts; consider removing any unnecessary post modification capabilities if they are not needed.
  • If an upgrade is not possible immediately, temporarily block or restrict access to the vulnerable Ajax endpoint for Subscribers and higher roles until a patch is deployed.
  • Monitor audit logs for abnormal post parent or menu order changes and investigate any unauthorized activity.

Generated by OpenCVE AI on June 29, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared F4 Post Tree
F4 Post Tree f4 Post Tree
Wordpress
Wordpress wordpress
Vendors & Products F4 Post Tree
F4 Post Tree f4 Post Tree
Wordpress
Wordpress wordpress

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
Description The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.
Title f4 Post Tree < 2.0.5 - Subscriber+ Arbitrary Post Parent/Menu Order Modification
References

Subscriptions

F4 Post Tree F4 Post Tree
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-29T12:46:50.805Z

Reserved: 2026-05-27T07:37:55.257Z

Link: CVE-2026-9676

cve-icon Vulnrichment

Updated: 2026-06-29T12:46:29.898Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:05:36Z

Weaknesses

No weakness.