CVE Catalog

CVE-2026-11570

MediumCVSS 4.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

3th percentile — higher than 3% of all known CVEs

Summary

The User Submitted Posts WordPress plugin before version 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting vulnerability. This can be triggered by unauthenticated users when a non-default display option is enabled.

Risk Assessment

An attacker can inject malicious JavaScript that executes in the browsers of administrators or other visitors, potentially leading to session hijacking, defacement, or further attacks.

Recommendation

Immediately update the User Submitted Posts plugin to version 20260608 or later. If updating is not possible, disable the non-default display option in the plugin settings.

Original NVD description (English source)

The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting that can be triggered by unauthenticated users when a non-default display option is enabled.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS