We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: User Submitted Posts 6 Enable Users to Submit Posts from the Front End (CVE-2026-2126)

Nick Paliughi
On this page

Security Alert Summary

The User Submitted Posts 6 Enable Users to Submit Posts from the Front End plugin for WordPress contains an incorrect authorization vulnerability that allows unauthenticated attackers to assign submitted posts to arbitrary categories by sending crafted POST requests. The issue stems from missing validation of user-supplied category IDs against the plugin’s configured allowed categories.

CVE Details

  • CVE ID: CVE-2026-2126
  • Affected plugin / component: User Submitted Posts 6 Enable Users to Submit Posts from the Front End (plugin for WordPress)
  • Affected versions: All versions up to, and including, 20260113
  • Published: February 18, 2026 at 10:16:15 AM
  • Last modified: February 18, 2026 at 10:16:15 AM
  • CVSS v3.1 base score / severity / vector: 5.3 / MEDIUM / CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • Authentication / Privileges / User Interaction:
    • Authentication required: None
    • Privileges required: None
    • User interaction: None
  • Primary impact:
    • Confidentiality: None
    • Integrity: Low (unauthenticated modification of post category assignments)
    • Availability: None
  • CWE / weakness: CWE-863 (Incorrect Authorization)

Technical Details

The vulnerability exists because the plugin’s usp_get_submitted_category() function accepts category IDs provided in the POST body without validating them against the admin-configured allowed categories stored in usp_options['categories']. Specifically, the plugin reads values from the user-submitted-category[] POST parameter and does not check those values against the configured whitelist of categories. An attacker can craft a direct POST request with manipulated user-submitted-category[] values to assign submitted posts to categories that should be restricted by the frontend settings, effectively bypassing those restrictions.

The impact is limited to inappropriate assignment of categories for submitted posts. The flaw does not, based on the provided information, disclose sensitive content or affect availability; its primary effect is on integrity of post metadata (category assignment).

How This Could Impact Your Website

In a typical small site setup, site owners allow external contributors or site visitors to submit posts through the frontend while administrators configure which categories are available for submission. With this vulnerability, an unauthenticated attacker could submit posts and assign them to restricted categories, which may be used for internal or sensitive content indexing, automated workflows, or audience segmentation.

Practical consequences include incorrect categorization of user-submitted content, potential exposure of internal workflows that rely on category membership, and increased risk of targeted phishing or social engineering if category-based content is used to identify or segment users. The vulnerability does not indicate disclosure of private content or direct account takeover, but it can alter how content is organized and presented to users.

If you9re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor-level accounts and anonymous submission endpoints.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce attack surface.
  • Monitor site activity and submission logs for unusual behavior, such as posts assigned to unexpected categories.

If you9d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Dam Spam Plugin Vulnerability (CVE-2026-2112)
Next Post
WordPress Security Bulletin: YayMail – WooCommerce Email Customizer Plugin Vulnerability (CVE-2026-1938)