A high-severity vulnerability exists within the "User Submitted Posts" WordPress plugin, allowing attackers to inject malicious code into websites. This code executes in the browsers of visitors, including administrators, potentially leading to account takeovers, data theft, or complete website compromise. Immediate patching is required to mitigate the significant risk of reputational damage and data breaches.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw. An attacker can submit a post through the plugin's front-end form and embed malicious JavaScript code within the form's "custom fields." The plugin fails to properly sanitize this input before storing it in the database and does not escape the output when displaying the submitted post. Consequently, when any user or administrator views the page containing the malicious post, the embedded script executes within their browser, compromising their session.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could lead to severe consequences, including the theft of sensitive user data, session cookies, and administrator credentials. An attacker could hijack an administrator's session to gain full control of the WordPress site, allowing them to deface the website, install backdoors, create rogue admin accounts, or redirect users to malicious sites. These actions can result in significant reputational damage, loss of customer trust, and potential financial and legal liabilities.

Immediate Action: Immediately update the "User Submitted Posts – Enable Users to Submit Posts from the Front End" plugin to the latest available version, which addresses this vulnerability. After updating, conduct a thorough review of WordPress security settings. If the plugin's functionality is no longer essential for business operations, it should be deactivated and removed to reduce the overall attack surface.

Proactive Monitoring: Monitor web server access logs for suspicious POST requests to the plugin's submission pages, specifically inspecting custom field data for HTML script tags (<script>, onerror, onload) or other XSS payloads. Implement file integrity monitoring to detect unauthorized changes to plugin or theme files. Regularly audit user accounts for any unauthorized or suspicious new administrator-level users.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a robust ruleset to detect and block XSS attack patterns. Enforce a strict Content Security Policy (CSP) on the website to prevent the execution of unauthorized inline scripts, which would mitigate the impact of a successful injection. Temporarily disabling post submissions from untrusted user roles can also serve as a short-term mitigation.

Public Exploit Available: false

This vulnerability poses a high risk to the organization's web presence and data security. Due to the CVSS score of 7.2 and the potential for full site compromise, immediate action is critical. Although CVE-2026-0800 is not currently listed in the CISA KEV catalog, its presence in a common plugin makes it a prime target. We strongly recommend that all systems running the affected plugin be patched immediately to prevent exploitation.