Skip to main content

User Submitted Posts CVE-2026-11570

| EUVDEUVD-2026-40917 MEDIUM
2026-07-01 WPScan GHSA-qrfm-jqh3-mc7c
4.2
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
vuln.today AI
4.2 MEDIUM

AC:H reflects the non-default admin configuration prerequisite; PR:N because payload submission is unauthenticated; UI:R because a victim must view the rendered template.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 01, 2026 - 11:27 vuln.today
CVSS changed
Jul 01, 2026 - 11:22 NVD
4.2 (None) 4.2 (MEDIUM)
Patch available
Jul 01, 2026 - 08:01 EUVD
CVE Published
Jul 01, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 01, 2026 - 06:00 cve.org
MEDIUM 4.2

DescriptionCVE.org

The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting that can be triggered by unauthenticated users when a non-default display option is enabled.

AnalysisAI

Stored Cross-Site Scripting in the User Submitted Posts WordPress plugin before version 20260608 enables unauthenticated attackers to inject persistent malicious scripts into admin-configured display templates. The vulnerability is only reachable when a site administrator has enabled a non-default display option in the plugin settings, limiting its real-world exposure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit crafted payload via unauthenticated post form
Delivery
Plugin stores unescaped script in database
Exploit
Administrator views post in non-default display template
Execution
Stored XSS executes in admin browser
Impact
Session token or credentials exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires that a WordPress site administrator has explicitly enabled a non-default display option within the User Submitted Posts plugin configuration - without this setting active, the vulnerable template rendering code path is not invoked and exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 score of 4.2 with vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N is internally consistent with the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated visitor to a WordPress site submits a post through the User Submitted Posts front-end form, embedding a JavaScript payload such as an event-handler attribute or script tag in a field that is later rendered by the non-default display template. When an administrator or authenticated user navigates to the page rendering that template, the stored payload executes in their browser session, enabling session cookie theft or unauthorized actions performed on their behalf. …
Remediation Update the User Submitted Posts WordPress plugin to version 20260608 or later, which introduces proper output escaping for user-submitted values rendered in display templates. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11570 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy