CVE-2026-1867

MEDIUM 5.9

WP Front User Submit < 5.0.6 - Unauthenticated Sensitive Information Exposure

CVSS Score

5.9

EPSS Score

0.0%

EPSS Percentile

0th

The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 allows passing a URL parameter to regenerate a .json file based on demo data that it initially creates. If an administrator modifies the demo form and enables admin notifications in the Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6's settings, it is possible for an unauthenticated attacker to export and download all of the form data/settings, including the administrator's email address.

Vendor	unknown
Product	guest posting / frontend posting / front editor
Published	Mar 11, 2026
Last Updated	Mar 11, 2026

Stay Ahead of the Next One

Get instant alerts for unknown guest posting / frontend posting / front editor

Be the first to know when new medium vulnerabilities affecting unknown guest posting / frontend posting / front editor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / Guest posting / Frontend Posting / Front Editor

0 < 5.0.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/a78ebcd2-9355-4f4e-829e-b10867463576/

Credits

Mike Gozdiskowski WPScan