All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-11570
MEDIUMpublished 2026-07-01 07:16 UTC · 3 days ago · modified 2026-07-01 18:17 UTC
4.2
CVSS / 10
// description
The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting that can be triggered by unauthenticated users when a non-default display option is enabled.