CVE-2026-11570
Received Received - Intake

Stored XSS in User Submitted Posts WordPress Plugin

Vulnerability report for CVE-2026-11570, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: WPScan

Description

The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting that can be triggered by unauthenticated users when a non-default display option is enabled.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability CVE-2026-11570 is a stored cross-site scripting (XSS) flaw that allows unauthenticated attackers to inject malicious scripts which execute in the context of users viewing the affected posts, including administrators.

Such XSS vulnerabilities can lead to unauthorized access to user sessions, data theft, or manipulation, which may result in breaches of confidentiality and integrity of personal data.

Consequently, this vulnerability could impact compliance with data protection regulations like GDPR and HIPAA, which require appropriate security measures to protect personal data from unauthorized access or disclosure.

Failure to address this vulnerability might lead to violations of these standards due to potential exposure or compromise of sensitive user information.

Executive Summary

CVE-2026-11570 is a stored cross-site scripting (XSS) vulnerability in the WordPress plugin "User Submitted Posts" versions before 20260608.

The vulnerability occurs because the plugin does not properly escape user-submitted values before outputting them in an admin-configured display template.

An unauthenticated attacker can exploit this by submitting a crafted payload in the "Your Name" field of the submission form.

If a non-default display option is enabled, such as setting the "Name Display" option to "Before" or "After content" and placing the author placeholder inside an HTML attribute, the malicious script executes when the post is published and viewed.

This causes the injected JavaScript to run in the session of any visitor viewing the post, including administrators.

Impact Analysis

This vulnerability can lead to unauthorized execution of malicious JavaScript code in the browsers of users viewing the affected posts.

Because the script runs in the context of the site, it can steal session cookies, perform actions on behalf of logged-in users, or redirect users to malicious sites.

Since the vulnerability can be triggered by unauthenticated users and affects administrators as well, it poses a significant security risk.

The CVSS score of 7.5 (high) reflects the severity and potential impact of this issue.

Detection Guidance

This vulnerability can be detected by testing the User Submitted Posts WordPress plugin for stored cross-site scripting (XSS) issues in the "Your Name" submission field when a non-default display option is enabled.

A practical detection method is to submit a crafted payload such as `test" onmouseover="alert(document.domain)" x=` in the "Your Name" field of the submission form.

If the "Name Display" option is set to "Before" or "After content" and the "Name Markup" template places the `%%author%%` placeholder inside an HTML attribute, the payload will execute when the post is published and viewed.

There are no specific network or system commands provided to detect this vulnerability, but manual testing via the plugin's submission form with the described payload is recommended.

Mitigation Strategies

The immediate mitigation step is to update the User Submitted Posts WordPress plugin to version 20260608 or later, where this vulnerability has been fixed.

Until the update can be applied, disable any non-default display options that enable the vulnerable "Name Display" settings such as "Before" or "After content" to prevent exploitation.

Additionally, review and sanitize any user-submitted content manually if possible, and restrict access to the plugin's submission form to trusted users.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11570. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart