CVE-2026-1296
Severity CVSS v4.0:
Pending analysis
Type:
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
Publication date:
18/02/2026
Last modified:
18/02/2026
Description
The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Open Redirection in all versions up to, and including, 1.2.7 due to insufficient validation on the 'requested_page' POST parameter in the verify_username_password function. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action such as clicking on a link.
Impact
Base Score 3.x
6.10
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/tags/1.2.6/includes/classes/class-fpsml-shortcode.php#L108
- https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/trunk/includes/classes/class-fpsml-shortcode.php#L108
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3458652%40frontend-post-submission-manager-lite&new=3458652%40frontend-post-submission-manager-lite
- https://www.wordfence.com/threat-intel/vulnerabilities/id/92c52129-7cf5-4a1b-80a1-b01140e6a72b?source=cve