CVE-2026-1296 PUBLISHED

Frontend Post Submission Manager Lite <= 1.2.7 - Unauthenticated Open Redirect via 'requested_page' Parameter

Assigner: Wordfence
Reserved: 21.01.2026 Published: 18.02.2026 Updated: 18.02.2026

The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Open Redirection in all versions up to, and including, 1.2.7 due to insufficient validation on the 'requested_page' POST parameter in the verify_username_password function. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action such as clicking on a link.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Score: 6.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	wpshuffle
Product	Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin
Versions	Default: unaffected affected from 1.0.0 to 1.2.7 (incl.)

CVE-2026-1296 PUBLISHED

Frontend Post Submission Manager Lite <= 1.2.7 - Unauthenticated Open Redirect via 'requested_page' Parameter

Metrics

Product Status

Credits

References

Problem Types