CVE-2026-1296

MEDIUM NUCLEI

Frontend Post Submission Manager Lite <=1.2.7 - Open Redirect

Title source: llm

Description

The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Open Redirection in all versions up to, and including, 1.2.7 due to insufficient validation on the 'requested_page' POST parameter in the verify_username_password function. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action such as clicking on a link.

Exploits (1)

github WORKING POC

by Sechunt3r · shellpoc

https://github.com/Sechunt3r/CVE-POCs/tree/main/CVE-2026-1296

View Code ZIP pw:eip

Nuclei Templates (1)

Frontend Post Submission Manager Lite <= 1.2.7 - Open Redirect

MEDIUMVERIFIEDby Shivam Kamboj

References (4)

[Product] https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/tags/1.2.6/includes/classes/class-fpsml-shortcode.php#L108

[Product] https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/trunk/includes/classes/class-fpsml-shortcode.php#L108

[Product] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3458652%40frontend-post-submission-manager-lite&new=3458652%40frontend-post-submission-manager-lite&sfp_email=&sfph_mail=

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/92c52129-7cf5-4a1b-80a1-b01140e6a72b?source=cve

Scores

CVSS v3 6.1

EPSS 0.0034

EPSS Percentile 56.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-601

Status published

Products (1)

wpshuffle/Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin 1.0.0 - 1.2.7

Published Feb 18, 2026

Tracked Since Feb 18, 2026