User Submitted Posts < 20260217 – Incorrect Authorization to Unauthenticated Category Restriction Bypass via 'user-submitted-category' Parameter | CVE 2026-2126 | Plugin Vulnerabilities

Description

The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 20260113. This is due to the `usp_get_submitted_category()` function accepting user-submitted category IDs from the POST body without validating them against the admin-configured allowed categories stored in `usp_options['categories']`. This makes it possible for unauthenticated attackers to assign submitted posts to arbitrary categories, including restricted ones, by crafting a direct POST request with manipulated `user-submitted-category[]` values, bypassing the frontend category restrictions.

Affects Plugins

user-submitted-posts

Fixed in 20260217

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/02c5e3ad-5cc3-40b1-a15a-10d53383abe6

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

type5afe

Verified

No

WPVDB ID

39a38545-6a99-4ea3-b5ed-b74ede753cb2

Timeline

Publicly Published

2026-02-17 (about 2 months ago)

Added

2026-02-17 (about 2 months ago)

Last Updated

2026-02-18 (about 2 months ago)

Other

Published

Title

Published

2025-08-28

Title

LWSCache < 2.9 - Subscriber+ Limited Plugin Activation

Published

2025-04-09

Title

SureForms < 1.4.4 - Contributor+ Settings Update

Published

2026-01-09

Title

Templately < 3.4.9 - Unauthenticated Limited Arbitrary JSON File Write

Published

2023-11-28

Title

WP Mail Log < 1.1.3 – Incorrect Authorization in REST API Endpoints

Published

2022-11-21

Title

WPTools < 3.43 - Subscriber+ Arbitrary Plugin Installation