The 'User Submitted Posts – Enable Users to Submit Posts from the Front End' WordPress plugin suffers from a stored cross-site scripting vulnerability (CWE-79) in its 'usp_access' shortcode. This vulnerability arises from inadequate sanitization and escaping of user input attributes, allowing authenticated users with Contributor or higher privileges to inject arbitrary JavaScript code. The injected scripts execute in the context of any user who views the compromised page, potentially leading to session hijacking or other client-side attacks. The issue affects all plugin versions up to 20260110. The CVSS 3.1 base score is 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, and partial confidentiality and integrity impact with no availability impact. No patch or remediation details are currently available.

An authenticated attacker with Contributor-level or higher privileges can exploit this vulnerability to inject persistent malicious scripts into pages via the 'usp_access' shortcode. These scripts execute in the browsers of users who visit the affected pages, potentially compromising user sessions or performing unauthorized actions within the context of the affected site. The impact includes partial loss of confidentiality and integrity but does not affect availability. There are no known active exploits reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting Contributor-level user permissions or disabling the 'User Submitted Posts – Enable Users to Submit Posts from the Front End' plugin if feasible. Monitor vendor channels for updates and apply patches promptly once released.