cleantalk
Vulnerabilities and Security Researches

User Submitted Posts – Enable Users to Submit Posts from the Front End, CVE-2026-2126

CVE, Research URL

CVE-2026-2126

Home page URL

Security reports for User Submitted Posts – Enable Users to Submit Posts from the Front End

Application

User Submitted Posts – Enable Users to Submit Posts from the Front End

Published on
Feb 18, 2026
Research Description
The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 20260113. This is due to the `usp_get_submitted_category()` function accepting user-submitted category IDs from the POST body without validating them against the admin-configured allowed categories stored in `usp_options['categories']`. This makes it possible for unauthenticated attackers to assign submitted posts to arbitrary categories, including restricted ones, by crafting a direct POST request with manipulated `user-submitted-category[]` values, bypassing the frontend category restrictions.
Affected versions
max 20260217.
Status
vulnerable
Previous vulnerability researches
Modular DS: Manage all your websites from a single dashboard (CVE-2026-3903) , Apr 14, 2026
Modular DS: Manage all your websites from a single dashboard (CVE-2026-23550) , Jan 27, 2026
Modular DS: Manage all your websites from a single dashboard (CVE-2026-23800) , Jan 27, 2026
New vulnerability
MyQtip – easy qTip2 (CVE-2026-1574) , Apr 15, 2026
Postalicious (CVE-2026-1266) , Apr 15, 2026
Import CSV or XML Datafeed With Ease (CVE-2026-1317) , Apr 15, 2026
Peter’s Date Countdown (CVE-2026-1654) , Apr 15, 2026
Essential Widgets (CVE-2026-0867) , Apr 15, 2026