CVE-2026-2126

{"id": "CVE-2026-2126", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-02-18T10:16:15.173", "references": [{"url": "https://plugins.trac.wordpress.org/browser/user-submitted-posts/tags/20260113/user-submitted-posts.php#L1431", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/user-submitted-posts/tags/20260113/user-submitted-posts.php#L298", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3463696%40user-submitted-posts%2Ftrunk&old=3456521%40user-submitted-posts%2Ftrunk&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02c5e3ad-5cc3-40b1-a15a-10d53383abe6?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "The User Submitted Posts \u2013 Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 20260113. This is due to the `usp_get_submitted_category()` function accepting user-submitted category IDs from the POST body without validating them against the admin-configured allowed categories stored in `usp_options['categories']`. This makes it possible for unauthenticated attackers to assign submitted posts to arbitrary categories, including restricted ones, by crafting a direct POST request with manipulated `user-submitted-category[]` values, bypassing the frontend category restrictions."}, {"lang": "es", "value": "El plugin User Submitted Posts \u2013 Enable Users to Submit Posts from the Front End para WordPress es vulnerable a una autorizaci\u00f3n incorrecta en todas las versiones hasta, e incluyendo, 20260113. Esto se debe a que la funci\u00f3n `usp_get_submitted_category()` acepta IDs de categor\u00eda enviadas por el usuario desde el cuerpo de la solicitud POST sin validarlas contra las categor\u00edas permitidas configuradas por el administrador y almacenadas en `usp_options['categories']`. Esto hace posible que atacantes no autenticados asignen publicaciones enviadas a categor\u00edas arbitrarias, incluyendo las restringidas, al crear una solicitud POST directa con valores `user-submitted-category[]` manipulados, eludiendo las restricciones de categor\u00eda del frontend."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "security@wordfence.com"}