CVE-2026-11570
MediumCVSS 4.2Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
The User Submitted Posts WordPress plugin before version 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting vulnerability. This can be triggered by unauthenticated users when a non-default display option is enabled.
Risk Assessment
An attacker can inject malicious JavaScript that executes in the browsers of administrators or other visitors, potentially leading to session hijacking, defacement, or further attacks.
Recommendation
Immediately update the User Submitted Posts plugin to version 20260608 or later. If updating is not possible, disable the non-default display option in the plugin settings.
Original NVD description (English source)
The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting that can be triggered by unauthenticated users when a non-default display option is enabled.

