CVE-2026-1296

Frontend Post Submission Manager Lite <= 1.2.7 - Unauthenticated Open Redirect via 'requested_page' Parameter

CVSS 6.1 MEDIUMEPSS 0.5%CWE-601

Vexday Risk Score

28Bajo

Decisión SSVC (CISA)

Attend

PoC disponible → seguir de cerca

CVSS 6.1EPSS 0.5%KEV nãoPoC —Nuclei simMetasploit —Patch —

Ciclo de vida

18 feb 2026Publicada en NVD

Recomendación: Planificar corrección próxima — ya existe PoC pública.

The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Open Redirection in all versions up to, and including, 1.2.7 due to insufficient validation on the 'requested_page' POST parameter in the verify_username_password function. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action such as clicking on a link.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Productos afectados

wpshuffle · Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/tags/1.2.6/includes/classes/class-fpsml-shortcode.php#L108 https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/trunk/includes/classes/class-fpsml-shortcode.php#L108 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3458652%40frontend-post-submission-manager-lite&new=3458652%40frontend-post-submission-manager-lite&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/92c52129-7cf5-4a1b-80a1-b01140e6a72b?source=cve