CVE-2026-1296
Open Redirection in Frontend Post Submission Manager Lite Plugin
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frontend_post_submission_manager_lite | frontend_post_submission_manager_lite | to 1.2.7 (inc) |
| frontend_post_submission_manager_lite | frontend_post_submission_manager_lite | 1.2.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Frontend Post Submission Manager Lite plugin for WordPress has an Open Redirection vulnerability in all versions up to and including 1.2.7. This vulnerability arises because the plugin does not properly validate the 'requested_page' POST parameter in the verify_username_password function.
As a result, unauthenticated attackers can exploit this flaw by tricking users into clicking on specially crafted links that cause the users to be redirected to potentially malicious websites.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to redirect your users to malicious sites without their consent. Such redirects can lead to phishing attacks, malware infections, or other harmful activities.
Since the vulnerability can be exploited by unauthenticated attackers, it poses a risk even if the attacker does not have any special access to your system.
The CVSS score of 6.1 (medium severity) reflects that the vulnerability requires user interaction (clicking a link) but can lead to partial confidentiality and integrity impacts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves an open redirection via the 'requested_page' POST parameter in the Frontend Post Submission Manager Lite WordPress plugin (up to version 1.2.7). Detection involves monitoring HTTP POST requests to the affected plugin's login or submission endpoints that include the 'requested_page' parameter."}, {'type': 'paragraph', 'content': "You can detect potential exploitation attempts by inspecting web server logs or using network monitoring tools to identify POST requests containing suspicious or external URLs in the 'requested_page' parameter."}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts include:'}, {'type': 'list_item', 'content': "Using grep on web server access logs to find POST requests with 'requested_page':"}, {'type': 'list_item', 'content': " grep -i 'requested_page=' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "Using tcpdump or tshark to capture HTTP POST traffic and filter for 'requested_page':"}, {'type': 'list_item', 'content': " tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'requested_page='"}, {'type': 'list_item', 'content': 'Using a web application firewall (WAF) or IDS/IPS to alert on redirects or POST parameters containing external URLs.'}, {'type': 'paragraph', 'content': "Note that the plugin does not sanitize or validate the 'requested_page' parameter properly, so any redirect URLs that are external or suspicious should be flagged."}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The primary mitigation is to update the Frontend Post Submission Manager Lite plugin to version 1.2.8 or later, where the plugin replaces unsafe redirects with safe redirects using WordPress's wp_safe_redirect() function, which restricts redirects to safe URLs."}, {'type': 'paragraph', 'content': 'If immediate updating is not possible, consider the following temporary mitigations:'}, {'type': 'list_item', 'content': 'Manually patch the plugin code to replace all instances of wp_redirect() with wp_safe_redirect() in the relevant PHP files, especially in class-fpsml-shortcode.php and class-fpsml-review.php.'}, {'type': 'list_item', 'content': "Implement web application firewall (WAF) rules to block or alert on POST requests containing suspicious 'requested_page' parameters that redirect to external or untrusted URLs."}, {'type': 'list_item', 'content': "Restrict access to the plugin's login or submission endpoints to trusted IP addresses if feasible."}, {'type': 'paragraph', 'content': 'Additionally, ensure that all user inputs, especially URL parameters used for redirection, are validated and sanitized to prevent open redirect vulnerabilities.'}] [4]