CVE-2026-1296

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-1296
The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Open Redirection in all versions up to, and including, 1.2.7 due to insufficient validation on the 'requested_page' POST parameter in the verify_username_password function. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action such as clicking on a link.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/tags/1.2.6/includes/classes/class-fpsml-shortcode.php#L108
https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/trunk/includes/classes/class-fpsml-shortcode.php#L108
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3458652%40frontend-post-submission-manager-lite&new=3458652%40frontend-post-submission-manager-lite&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/92c52129-7cf5-4a1b-80a1-b01140e6a72b?source=cve
Configurations

No configuration.

History

18 Feb 2026, 17:51

Type Values Removed Values Added
Summary
  • (es) El plugin Frontend Post Submission Manager Lite para WordPress es vulnerable a la redirección abierta en todas las versiones hasta la 1.2.7, inclusive, debido a validación insuficiente en el parámetro POST 'requested_page' en la función verify_username_password. Esto hace posible para atacantes no autenticados redirigir a los usuarios a sitios potencialmente maliciosos si logran engañarlos con éxito para que realicen una acción como hacer clic en un enlace.

18 Feb 2026, 05:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-18 05:16

Updated : 2026-04-15 00:35

NVD link : CVE-2026-1296

Mitre link : CVE-2026-1296

CVE.ORG link : CVE-2026-1296

JSON object : View

Products Affected

No product.

CWE
CWE-601

URL Redirection to Untrusted Site ('Open Redirect')