Attack Vectors

CVE-2026-2126 affects the WordPress plugin User Submitted Posts – Enable Users to Submit Posts from the Front End (slug: user-submitted-posts) in versions up to and including 20260113, with a Medium severity (CVSS 5.3). The issue can be abused over the network without authentication, meaning an external party can attempt it directly against your front-end submission workflow.

The primary attack vector is a crafted front-end post submission request where the attacker manipulates the user-submitted-category parameter in the POST body. By doing so, they may be able to force a submitted post into categories that were intended to be restricted, even when your administrators have configured “allowed categories.”

Security Weakness

This is an Incorrect Authorization weakness. In affected versions, the plugin’s category selection logic accepts a user-provided category ID from the POST request and does not validate it against the administrator-configured list of allowed categories (stored in usp_options[‘categories’]). As a result, category restrictions can be bypassed by an unauthenticated user who submits a request with a manipulated category value.

In business terms, the control meant to enforce “where user submissions are allowed to appear” can be overridden by the requester, weakening content governance and policy enforcement.

Technical or Business Impacts

Brand and reputational risk: Posts could appear in categories that carry higher visibility, authority, or sensitivity (for example, categories intended for official announcements, investor communications, or regulated topics), increasing the likelihood of audience confusion and brand damage.

Compliance and governance risk: If your category structure maps to editorial approvals, disclosures, or regulated workflows, this bypass may undermine documented controls and create audit issues for Compliance, Legal, and Security teams.

Operational disruption: Marketing and content teams may face increased moderation overhead as inappropriate or misleading submissions are routed into restricted areas, potentially impacting campaign timelines and stakeholder trust.

Recommended action: Update User Submitted Posts – Enable Users to Submit Posts from the Front End to version 20260217 or newer (patched). Track the issue under CVE-2026-2126 and reference the vendor/community advisory from Wordfence.