Atomic Edge analysis of CVE-2026-2126:
This vulnerability is an incorrect authorization flaw in the User Submitted Posts WordPress plugin, versions up to and including 20260113. The vulnerability allows unauthenticated attackers to bypass frontend category restrictions and assign submitted posts to arbitrary categories, including those configured as restricted by the site administrator. The CVSS score of 5.3 reflects a moderate severity impact on the integrity of the post submission system.

Atomic Edge research identifies the root cause in the `usp_get_submitted_category()` function within the main plugin file `user-submitted-posts.php`. The vulnerable function, located at lines 296-320 in the patched version, directly accepts user-supplied category IDs from the `$_POST[‘user-submitted-category’]` parameter without validating them against the administrator-configured allowed categories stored in `$usp_options[‘categories’]`. The function processes both array and comma-separated string inputs, applying only `sanitize_text_field()` to user input in the vulnerable version, which does not enforce authorization checks.

Exploitation requires an attacker to craft a direct POST request to the plugin’s post submission endpoint, typically via the frontend form handler. The attacker manipulates the `user-submitted-category[]` parameter with arbitrary category IDs, including those not permitted in the plugin’s settings. The payload structure uses either an array format (`user-submitted-category[]=1&user-submitted-category[]=5`) or a comma-separated string (`user-submitted-category=1,5`). No authentication or special privileges are required, as the vulnerability exists in the category processing logic before any authorization checks on the submitted categories.

The patch modifies the `usp_get_submitted_category()` function in `user-submitted-posts.php` at lines 296-320. The fix introduces three key changes: it retrieves the global `$usp_options` array, extracts allowed categories as integers via `array_map(‘intval’, $usp_options[‘categories’])`, and validates user input against this list using `array_intersect()` for arrays and `in_array()` for single values. User input is now cast to integers with `intval()` before validation. When submitted categories are not in the allowed list, the function defaults to the first allowed category or an empty string. This ensures only administrator-approved categories can be assigned to user-submitted posts.

Successful exploitation allows attackers to bypass intended content categorization controls. Attackers can assign posts to restricted, private, or administrative categories, potentially exposing sensitive category archives to public view or manipulating content organization. While the vulnerability does not directly enable privilege escalation or remote code execution, it undermines the plugin’s content moderation and categorization system, allowing unauthorized content placement within the site’s information architecture.