Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
WordPress User Submitted Posts plugin allows unauthorized category changes
CVE-2026-2126
Summary
The User Submitted Posts plugin for WordPress has a flaw that lets attackers change the category of a post without permission. This could allow attackers to put posts in restricted categories. Update to the latest version to fix this issue.
Original title
The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 20260113. This is due ...
Original description
The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 20260113. This is due to the `usp_get_submitted_category()` function accepting user-submitted category IDs from the POST body without validating them against the admin-configured allowed categories stored in `usp_options['categories']`. This makes it possible for unauthenticated attackers to assign submitted posts to arbitrary categories, including restricted ones, by crafting a direct POST request with manipulated `user-submitted-category[]` values, bypassing the frontend category restrictions.
nvd CVSS3.1
5.3
Vulnerability type
CWE-863
Incorrect Authorization
- https://plugins.trac.wordpress.org/browser/user-submitted-posts/tags/20260113/us...
- https://plugins.trac.wordpress.org/browser/user-submitted-posts/tags/20260113/us...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/02c5e3ad-5cc3-40b1-a15...
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026