CVE-2026-2126 is an incorrect authorization vulnerability (CWE-863) in the specialk User Submitted Posts – Enable Users to Submit Posts from the Front End WordPress plugin. The issue exists because the usp_get_submitted_category() function does not validate user-submitted category IDs against the admin-configured allowed categories stored in usp_options['categories']. Consequently, unauthenticated attackers can craft POST requests with manipulated user-submitted-category[] parameters to assign posts to arbitrary or restricted categories, bypassing frontend category restrictions. This affects all plugin versions up to and including 20260113. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity), with network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or availability impact, but low integrity impact.

The vulnerability allows unauthenticated attackers to assign submitted posts to arbitrary categories, including restricted ones, thereby modifying the integrity of post categorization within the WordPress site. There is no direct impact on confidentiality or availability. No known exploits in the wild have been reported. The integrity impact is considered low, but the ability to bypass category restrictions could affect content organization and potentially site behavior or moderation workflows.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling the User Submitted Posts plugin or restricting its use to trusted users only. Monitoring for unusual post category assignments may help detect exploitation attempts. Avoid relying solely on frontend category restrictions for security.