Ghostwire

CVE-2026-11570: The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an...

MEDIUM CVSS 0.0

Published: July 1, 2026 | Last Modified: July 1, 2026

Description

The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting that can be triggered by unauthenticated users when a non-default display option is enabled.

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

References