WordPress Guest Posting Plugin Leaks Admin Email and Form Data

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.9

WordPress Guest Posting Plugin Leaks Admin Email and Form Data

CVE-2026-1867

Summary

The WordPress plugin Guest Posting / Frontend Posting / Front Editor has a security issue that allows hackers to download sensitive information, including the administrator's email address, if they know how to ask for it. This could be used for phishing or spamming. To fix this, update the plugin to version 5.0.6 or later.

Original title

The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 allows passing a URL parameter to regenerate a .json file based on demo data that it initially creates. If an admi...

Original description

The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 allows passing a URL parameter to regenerate a .json file based on demo data that it initially creates. If an administrator modifies the demo form and enables admin notifications in the Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6's settings, it is possible for an unauthenticated attacker to export and download all of the form data/settings, including the administrator's email address.

Vulnerability type

CWE-200 Information Exposure

https://wpscan.com/vulnerability/a78ebcd2-9355-4f4e-829e-b10867463576/

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026