{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0913", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-13T18:46:09.607Z", "datePublished": "2026-01-16T08:23:38.119Z", "dateUpdated": "2026-04-08T17:04:39.111Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:39.111Z"}, "affected": [{"vendor": "specialk", "product": "User Submitted Posts \u2013 Enable Users to Submit Posts from the Front End", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "20260110", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The User Submitted Posts \u2013 Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'usp_access' shortcode in all versions up to, and including, 20260110 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "User Submitted Posts <= 20260110 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'usp_access' Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/85bf7a1b-3c54-40c9-8f19-fcb9dd478a0e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-submitted-posts/tags/20251210/library/shortcode-access.php#L20"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439027/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-01-13T19:01:48.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-15T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T13:10:30.720759Z", "id": "CVE-2026-0913", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T13:10:40.814Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0913", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T13:10:30.720759Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T13:10:36.741Z"}}], "cna": {"title": "User Submitted Posts <= 20260110 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'usp_access' Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "specialk", "product": "User Submitted Posts \u2013 Enable Users to Submit Posts from the Front End", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "20260110"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-13T19:01:48.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-15T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/85bf7a1b-3c54-40c9-8f19-fcb9dd478a0e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-submitted-posts/tags/20251210/library/shortcode-access.php#L20"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439027/"}], "descriptions": [{"lang": "en", "value": "The User Submitted Posts \u2013 Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'usp_access' shortcode in all versions up to, and including, 20260110 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:39.111Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0913", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:39.111Z", "dateReserved": "2026-01-13T18:46:09.607Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-16T08:23:38.119Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The User Submitted Posts \u2013 Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'usp_access' shortcode in all versions up to, and including, 20260110 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin User Submitted Posts \u2013 Enable Users a Submit Posts from the Front End para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del shortcode 'usp_access' del plugin en todas las versiones hasta, e incluyendo, 20260110 debido a una sanitizaci\u00f3n de entrada y escape de salida insuficientes en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-0913", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-16T09:16:20.760", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/user-submitted-posts/tags/20251210/library/shortcode-access.php#L20"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3439027/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/85bf7a1b-3c54-40c9-8f19-fcb9dd478a0e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T19:09:53.416530+00:00", "value": {"mitigation_remediation": ["Update the User Submitted Posts plugin to a version newer than 20260110 (e.g., 20260111 or later).", "If an immediate upgrade is not feasible, remove or disable the \u2018usp_access\u2019 shortcode for untrusted users or restrict its usage to Administrators only.", "Apply robust input validation and output escaping in the shortcode handler, or enforce a Content Security Policy that blocks inline scripts to mitigate potential exploitation."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting that allows authenticated users with Contributor privileges to inject malicious scripts into pages"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress plugin User Submitted Posts by specialk. All versions up to and including 20260110 are impacted. Content owners who rely on this plugin for front\u2011end post submission and allow Contributor access should assume the vulnerability is present unless the plugin has been upgraded beyond 20260110.", "description_and_impact": "The User Submitted Posts plugin for WordPress is vulnerable to stored cross\u2011site scripting in all releases up to and including 20260110. The flaw stems from insufficient sanitization and escaping of attributes passed to the \u2018usp_access\u2019 shortcode. Consequently, authenticated contributors or higher can insert arbitrary JavaScript into any page that renders the shortcode, leading to defacement, credential theft, or distribution of malware when other users view the page.", "risk_and_exploitability": "The vulnerability scores a 6.4 on the CVSS framework, indicating a moderate to high risk, while the EPSS score is below 1%, suggesting low current exploitation probability. It is not listed in the CISA KEV catalogue. Exploitation requires an authenticated account with Contributor or higher privileges and the use of the \u2018usp_access\u2019 shortcode. An attacker can embed malicious scripts that will run in the browsers of any user who visits the affected page."}}}}, "created": "2026-01-16T13:41:39.507193+00:00", "updated": "2026-04-15T19:15:12.081436+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}