CVE-2026-1296
Frontend Post Submission Manager Lite <= 1.2.7 - Unauthenticated Open Redirect via 'requested_page' Parameter
Vexday Risk Score
28Baixo
Decisão SSVC (CISA)
Attend
PoC disponível → acompanhar de perto
CVSS 6.1EPSS 0.5%KEV nãoPoC —Nuclei simMetasploit —Patch —
Ciclo de vida
18 fev 2026Publicada no NVD
Recomendação: Planejar correção próxima — já existe PoC pública.
The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Open Redirection in all versions up to, and including, 1.2.7 due to insufficient validation on the 'requested_page' POST parameter in the verify_username_password function. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action such as clicking on a link.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Produtos afetados
wpshuffle · Frontend Post Submission Manager Lite – Frontend Posting WordPress PluginQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/tags/1.2.6/includes/classes/class-fpsml-shortcode.php#L108https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/trunk/includes/classes/class-fpsml-shortcode.php#L108https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3458652%40frontend-post-submission-manager-lite&new=3458652%40frontend-post-submission-manager-lite&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/92c52129-7cf5-4a1b-80a1-b01140e6a72b?source=cve