Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
AC:H reflects the non-default admin configuration prerequisite; PR:N because payload submission is unauthenticated; UI:R because a victim must view the rendered template.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting that can be triggered by unauthenticated users when a non-default display option is enabled.
AnalysisAI
Stored Cross-Site Scripting in the User Submitted Posts WordPress plugin before version 20260608 enables unauthenticated attackers to inject persistent malicious scripts into admin-configured display templates. The vulnerability is only reachable when a site administrator has enabled a non-default display option in the plugin settings, limiting its real-world exposure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a WordPress site administrator has explicitly enabled a non-default display option within the User Submitted Posts plugin configuration - without this setting active, the vulnerable template rendering code path is not invoked and exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 score of 4.2 with vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N is internally consistent with the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated visitor to a WordPress site submits a post through the User Submitted Posts front-end form, embedding a JavaScript payload such as an event-handler attribute or script tag in a field that is later rendered by the non-default display template. When an administrator or authenticated user navigates to the page rendering that template, the stored payload executes in their browser session, enabling session cookie theft or unauthorized actions performed on their behalf. … |
| Remediation | Update the User Submitted Posts WordPress plugin to version 20260608 or later, which introduces proper output escaping for user-submitted values rendered in display templates. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in User Submitted Posts
View allThe User Submitted Posts plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validatio
Unrestricted Upload of File with Dangerous Type vulnerability in Jeff Starr User Submitted Posts - Enable Users to Submi
The User Submitted Posts WordPress plugin before 20240516 does not sanitise and escape some of its settings, which could
The User Submitted Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [usp_gallery
The User Submitted Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user-submitted-conte
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40917
GHSA-qrfm-jqh3-mc7c