As part of my independent learning and hands-on security research, I analyzed WordPress plugins that allow users to submit posts from the front end. During this analysis, I discovered an unauthenticated stored cross-site scripting (XSS) vulnerability in the User Submitted Posts — Enable Users to Submit Posts from the Front End plugin, affecting versions ≤ 20251210.
The issue was responsibly disclosed through Wordfence and assigned CVE-2026–0800.
Proof of Concept (PoC)
Vulnerability Description
The plugin stores user-supplied input from a public submission form as post meta. This data is later rendered inside the WordPress admin post edit screen without proper sanitization or output escaping, allowing stored JavaScript execution.
Payload Used
"><script>alert('Vulnerable: Stored XSS by Bala');</script>Steps to Reproduce
- Install and activate the User Submitted Posts plugin (version ≤ 20251210).
- Navigate to the public-facing post submission form.
- Fill in the required fields such as post title and content.
- Insert the payload into the Custom Field input (
user-submitted-custom). - Submit the post.
- Log in to WordPress as an Administrator.
- Navigate to Posts → All Posts.
Result
When the post edit page loads, the injected JavaScript executes automatically within the WordPress admin interface, confirming an unauthenticated stored XSS vulnerability.
References
- Wordfence Intelligence — CVE-2026–0800 https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec907bc-bd10-4dc5-be35-4f2aaf5ef444?source=cve
- WordPress Plugin Patch (SVN Changeset 3436859) https://plugins.trac.wordpress.org/changeset/3436859/user-submitted-posts
Author Balamurugan R Independent Security Researcher