Incorrect Authorization in User Submitted Posts Plugin for WordPress
CVE-2026-2126
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 18 February 2026
What is CVE-2026-2126?
The User Submitted Posts plugin for WordPress is vulnerable due to a lack of validation on user-submitted category IDs. The usp_get_submitted_category() function allows attackers to send unauthorized category requests by manipulating POST data, which bypasses configured category restrictions. This flaw permits unauthenticated users to submit posts to arbitrary categories, including those that are supposed to be restricted, posing a significant security risk.
Affected Version(s)
User Submitted Posts β Enable Users to Submit Posts from the Front End 0 <= 20260113