Vulnerabilities and security researches foruser-submitted-posts user-submitted-posts

Jun 07, 2024

CVE, Research URL: -
Home page URL: Security reports for User Submitted Posts – Enable Users to Submit Posts from the Front End
Application: User Submitted Posts – Enable Users to Submit Posts from the Front End
Date: Mar 26, 2024
Research Description: Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Affected versions: max 20230902.
Status: vulnerable

CVE, Research URL: CVE-2023-4779
Home page URL: Security reports for User Submitted Posts – Enable Users to Submit Posts from the Front End
Application: User Submitted Posts – Enable Users to Submit Posts from the Front End
Date: Sep 06, 2023
Research Description: The User Submitted Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [usp_gallery] shortcode in versions up to, and including, 20230811 due to insufficient input sanitization and output escaping on user supplied attributes like 'before'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 20230901.
Status: vulnerable

CVE, Research URL: CVE-2023-45603
Home page URL: Security reports for User Submitted Posts – Enable Users to Submit Posts from the Front End
Application: User Submitted Posts – Enable Users to Submit Posts from the Front End
Date: Dec 21, 2023
Research Description: Unrestricted Upload of File with Dangerous Type vulnerability in Jeff Starr User Submitted Posts – Enable Users to Submit Posts from the Front End.This issue affects User Submitted Posts – Enable Users to Submit Posts from the Front End: from n/a through 20230902.
Affected versions: max 20230914.
Status: vulnerable

CVE, Research URL: CVE-2016-11001
Home page URL: Security reports for User Submitted Posts – Enable Users to Submit Posts from the Front End
Application: User Submitted Posts – Enable Users to Submit Posts from the Front End
Date: Sep 20, 2019
Research Description: The user-submitted-posts plugin before 20160215 for WordPress has XSS via the user-submitted-content field.
Affected versions: max 20190426.
Status: vulnerable

CVE, Research URL: CVE-2019-25138
Home page URL: Security reports for User Submitted Posts – Enable Users to Submit Posts from the Front End
Application: User Submitted Posts – Enable Users to Submit Posts from the Front End
Date: Jun 07, 2023
Research Description: The User Submitted Posts plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the usp_check_images function in versions up to, and including, 20190312. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
Affected versions: max 20190426.
Status: vulnerable

CVE, Research URL: CVE-2023-4308
Home page URL: Security reports for User Submitted Posts – Enable Users to Submit Posts from the Front End
Application: User Submitted Posts – Enable Users to Submit Posts from the Front End
Date: Aug 15, 2023
Research Description: The User Submitted Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user-submitted-content’ parameter in versions up to, and including, 20230809 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 20230811.
Status: vulnerable

CVE, Research URL: CVE-2023-7251
Home page URL: Security reports for User Submitted Posts – Enable Users to Submit Posts from the Front End
Application: User Submitted Posts – Enable Users to Submit Posts from the Front End
Date: Mar 26, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr User Submitted Posts allows Stored XSS.This issue affects User Submitted Posts: from n/a through 20230901.
Affected versions: max 20230902.
Status: vulnerable

Jul 15, 2024

CVE, Research URL: CVE-2024-5002
Home page URL: Security reports for User Submitted Posts – Enable Users to Submit Posts from the Front End
Application: User Submitted Posts – Enable Users to Submit Posts from the Front End
Date: Jul 13, 2024
Research Description: The User Submitted Posts WordPress plugin before 20240516 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Affected versions: max 20240516.
Status: vulnerable

Apr 04, 2025

CVE, Research URL: CVE-2025-2874
Home page URL: Security reports for User Submitted Posts – Enable Users to Submit Posts from the Front End
Application: User Submitted Posts – Enable Users to Submit Posts from the Front End
Date: Apr 03, 2025
Research Description: The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 20240319 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: max 20250327.
Status: vulnerable

Jan 10, 2026

CVE, Research URL: CVE-2025-68509
Home page URL: Security reports for User Submitted Posts – Enable Users to Submit Posts from the Front End
Application: User Submitted Posts – Enable Users to Submit Posts from the Front End
Date: Dec 24, 2025
Research Description: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Jeff Starr User Submitted Posts user-submitted-posts allows Phishing.This issue affects User Submitted Posts: from n/a through <= 20251121.
Affected versions: max 20251121.
Status: vulnerable