Security Alert Summary
The Frontend Post Submission Manager Lite plugin for WordPress has an open redirection vulnerability that affects all versions up to and including 1.2.7. The issue stems from insufficient validation of a POST parameter, which could allow an unauthenticated attacker to redirect users to external sites if they can trick those users into taking an action such as clicking a link.
CVE Details
- CVE ID: CVE-2026-1296
- Affected component: Frontend Post Submission Manager Lite plugin for WordPress
- Affected versions: All versions up to and including 1.2.7
- Published: February 18, 2026 05:16:25 AM (timezone not specified)
- Last modified: February 18, 2026 05:16:25 AM (timezone not specified)
- CVSS v3.1: Base Score 6.1, Severity MEDIUM
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: NONE
- User Interaction: REQUIRED
- Scope: CHANGED
- Confidentiality Impact: LOW
- Integrity Impact: LOW
- Availability Impact: NONE
- CWE / Weakness ID: CWE-601 (Open Redirect)
Technical Details
This vulnerability is an Open Redirection issue caused by insufficient validation of the requested_page POST parameter in the verify_username_password function. Because the plugin does not properly validate or constrain that parameter, an attacker who can convince a user to submit a request containing a crafted requested_page value may cause the application to redirect the user to an external URL chosen by the attacker.
The CVE description notes the issue exists in all versions up to and including 1.2.7. The entry does not specify a patched or fixed version.
How This Could Impact Your Website
On a multi-user WordPress site, an attacker could attempt to lure site visitors or contributors into clicking a link that triggers the vulnerable behavior. For example, an external contractor or contributor might receive a link that appears to go to a legitimate site section but instead redirects them to a malicious page. Site owners and internal staff who do not expect the redirect may be exposed to phishing pages or other social engineering attempts.
Practical consequences include increased risk of targeted phishing and credential-harvesting attempts, and potential exposure of users to malicious content. The confidentiality and integrity impacts are rated as low in the CVSS data, and availability is not impacted according to that data, so this does not imply execution of arbitrary code or full site compromise based on the information in the CVE entry.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available (the CVE entry does not specify a fixed version).
- Review and reduce unnecessary user roles, especially contributors and other low-privilege accounts that can be targeted.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and access logs for unusual behavior or unexpected redirects.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/tags/1.2.6/includes/classes/class-fpsml-shortcode.php#L108
- https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/trunk/includes/classes/class-fpsml-shortcode.php#L108
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3458652%40frontend-post-submission-manager-lite&new=3458652%40frontend-post-submission-manager-lite&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/92c52129-7cf5-4a1b-80a1-b01140e6a72b?source=cve
