CVE Catalog

CVE-2026-9676

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.11%

1th percentile — higher than 1% of all known CVEs

Summary

The F4 Post Tree WordPress plugin before version 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.

Risk Assessment

The risk is that an attacker with low privileges can alter the structure and order of any posts, potentially leading to content disorganization, navigation manipulation, or hiding important information.

Recommendation

It is recommended to immediately update the F4 Post Tree plugin to version 2.0.5 or later, which includes the necessary security fixes.

Original NVD description (English source)

The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS