CVE-2026-0913: Medium Vulnerability in WordPress User Submitted Posts Plugin

The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'usp_access' shortcode. This vulnerability affects all versions up to, and including, 20260110. The flaw arises from insufficient input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages.

The CVSS score for this vulnerability is 6.4, categorizing it as medium severity. This classification indicates that while the attack complexity is low and no user interaction is required, the implications of a successful exploit could be significant, as attackers may execute scripts that could impact the confidentiality and integrity of the affected sites.

Risk to organizations includes unauthorized access to sensitive information, potential defacement of web pages, and the possibility of distributing malicious content to users. As such, organizations using this plugin should prioritize patching immediately.

Currently, there are no known exploits or public proof of concepts available for this vulnerability. Security teams should remain vigilant and monitor for any updates or patches from the vendor.

Vulnerability Details

This vulnerability allows for stored cross-site scripting (XSS) due to improper handling of user input in the WordPress plugin. The CVSS score of 6.4 indicates a medium severity, suggesting that while the vulnerability is not critical, it still poses a significant risk that must be addressed. The vulnerability was published on January 16, 2026, and is classified under CWE-79.

Technical Analysis

The root cause of this vulnerability is the lack of proper input sanitization and output escaping for user-supplied attributes within the plugin's shortcode. The attack vector is network-based, requiring no user interaction. Attack complexity is low, allowing attackers with low privileges (i.e., Contributor-level access) to exploit the vulnerability. The impact on confidentiality and integrity is low, while availability remains unaffected.

Risk & Impact Analysis

Organizations deploying the affected plugin face the risk of unauthorized script execution, which can lead to data theft or manipulation, and could also serve as a vector for further attacks. The vulnerability has a medium exploitability score, indicating a moderate risk level. Due to its potential impact on user trust and data integrity, organizations should address this vulnerability in their priority patch cycle.

Exploitation Status

Affected Versions

All versions of the User Submitted Posts plugin prior to version 20260110 are affected by this vulnerability.

Mitigation & Remediation

Organizations should prioritize patching the affected plugin to version 20260110 or later. In the absence of a patch, consider disabling the plugin until a fix is applied. Additionally, implementing input validation and output escaping for user-supplied data can help mitigate risks associated with similar vulnerabilities.

Detection Guidance

Monitor logs for unusual input patterns in user posts, and watch for any changes in the behavior of the WordPress site that may indicate malicious activity. Ensure that web application firewalls are configured to detect and block XSS attempts.

AppSecure Threat Intelligence Insight

The emergence of vulnerabilities like CVE-2026-0913 underscores the necessity for robust input validation practices in software development. Security teams should regularly review and update their security posture to adapt to evolving threats and ensure comprehensive vulnerability management. For further insights, organizations can refer to our guides on vulnerability management programs and penetration testing methodologies to fortify their defenses.