CVE-2026-2126

Name of the Vulnerable Software and Affected Versions User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress versions prior to 20260114

Description The software is susceptible to an authorization issue. This is due to the usp get submitted category() function improperly handling user-supplied category IDs received in the POST request body. Specifically, the function does not validate these IDs against the allowed categories configured by the administrator and stored in usp options['categories']. This allows unauthenticated attackers to assign submitted posts to any category, including restricted ones, by manipulating the user-submitted-category[] values in a direct POST request, effectively bypassing frontend category restrictions.

Recommendations Update to a version later than 20260113.