WP-Safety

Guest posting / Frontend Posting / Front Editor – WP Front User Submit Security & Risk Analysis

wordpress.org/plugins/front-editor

This plugin enables users to submit post content from Front End. Use our plugin to implement guest posting

100 active installs v5.0.6 PHP 7.0+ WP 4.0+ Updated Feb 16, 2026
frontend-postguest-postpublic-postuser-post
52
C · Use Caution
CVEs total9
Unpatched2
Last CVEJan 6, 2026
Plugin page Download
Safety Verdict

Is Guest posting / Frontend Posting / Front Editor – WP Front User Submit Safe to Use in 2026?

Use With Caution

Score 52/100

Guest posting / Frontend Posting / Front Editor – WP Front User Submit has 2 unpatched vulnerabilities. Evaluate alternatives or apply available mitigations.

9 known CVEs 2 unpatched Last CVE: Jan 6, 2026Updated 1mo ago
Risk Assessment

The "front-editor" plugin version 5.0.6 presents a moderate to high security risk due to several concerning factors. While the plugin utilizes prepared statements for all SQL queries and has a reasonable number of nonce and capability checks, significant concerns arise from its attack surface and vulnerability history. The presence of 4 unprotected entry points (2 AJAX handlers and 2 REST API routes without permission callbacks) is a critical weakness, potentially allowing unauthorized access and manipulation of plugin functionalities. Furthermore, the plugin has a history of 9 known CVEs, with 2 currently unpatched, and a recent vulnerability in 2026. This indicates a pattern of security flaws, with common types including missing authorization, open redirects, XSS, and CSRF, suggesting a recurring struggle with robust security implementation. The code analysis also reveals that 40% of output escaping is not properly handled, increasing the risk of XSS vulnerabilities.

Key Concerns

  • 4 unprotected entry points (AJAX/REST API)
  • 2 currently unpatched CVEs
  • 40% of output not properly escaped
  • Bundled Freemius v1.0 library
  • History of 9 medium severity CVEs
Vulnerabilities
9

Guest posting / Frontend Posting / Front Editor – WP Front User Submit Security Vulnerabilities

CVEs by Year

3 CVEs in 2023
2023
1 CVE in 2024
2024
4 CVEs in 2025 · unpatched
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
9

9 total CVEs

CVE-2025-13419medium · 5.3Missing Authorization

Guest posting / Frontend Posting / Front Editor – WP Front User Submit <= 5.0.0 - Missing Authorization to Unauthenticated Media Deletion

Jan 6, 2026 Patched in 5.0.1 (1d)
CVE-2025-12569medium · 4.7URL Redirection to Untrusted Site ('Open Redirect')

Front User Submit <= 4.9.5 - Open Redirect

Nov 3, 2025 Patched in 5.0.0 (29d)
CVE-2025-28988medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Front User Submit / Front Editor <= 4.9.3 - Reflected Cross-Site Scripting

Jun 23, 2025 Patched in 4.9.4 (9d)
CVE-2025-52795medium · 4.3Cross-Site Request Forgery (CSRF)

WP Front User Submit / Front Editor <= 4.9.4 - Cross-Site Request Forgery

Jun 19, 2025Unpatched
CVE-2025-47617medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Front User Submit / Front Editor <= 4.9.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 7, 2025Unpatched
CVE-2024-2967medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor <= 4.4.7 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 29, 2024 Patched in 4.4.8 (47d)
CVE-2023-1982medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor <= 4.4.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Aug 2, 2023 Patched in 4.4.7 (335d)
WF-5bc03b4a-f7ec-4827-b914-0560b9268b6f-front-editormedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Front User Submit | Front Editor <= 3.8.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Jun 27, 2023 Patched in 3.8.5 (210d)
WF-f34722fb-e852-4194-b839-7d885d212fc9-front-editormedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Front User Submit | Front Editor <= 3.7.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Jun 12, 2023 Patched in 3.8.0 (225d)
Code Analysis
Analyzed Mar 16, 2026

Guest posting / Frontend Posting / Front Editor – WP Front User Submit Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
3 prepared
Unescaped Output
248
365 escaped
Nonce Checks
13
Capability Checks
17
File Operations
9
External Requests
3
Bundled Libraries
2

Bundled Libraries

TinyMCEFreemius1.0

SQL Query Safety

100% prepared3 total queries

Output Escaping

60% escaped613 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
search_box (inc\PostFormsListTable.php:138)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Guest posting / Frontend Posting / Front Editor – WP Front User Submit Attack Surface

Entry Points25
Unprotected4

AJAX Handlers 7

authwp_ajax_fe_get_formBuilder_datainc\Form.php:60
authwp_ajax_save_post_front_settingsinc\Form.php:62
authwp_ajax_save_migration_settingsinc\Form.php:64
authwp_ajax_fus_logininc\LoginRegisterShortcode.php:22
noprivwp_ajax_fus_logininc\LoginRegisterShortcode.php:23
authwp_ajax_fus_registerinc\LoginRegisterShortcode.php:25
noprivwp_ajax_fus_registerinc\LoginRegisterShortcode.php:26

REST API Routes 9

POST/wp-json/bfe/v1/processinc\fields\FileField.php:27
DELETE/wp-json/bfe/v1/revertinc\fields\FileField.php:34
GET/wp-json/bfe/v1/load/(?P<id>\d+)inc\fields\FileField.php:41
POST/wp-json/bfe/v1/forminc\Form.php:72
POST/wp-json/bfe/v1/add-update-forminc\Form.php:80
POST/wp-json/bfe/v1/add_or_update_postinc\SavePost.php:72
POST/wp-json/bfe/v1/post_thumb_uploading_imageinc\SavePost.php:77
POST/wp-json/bfe/v1/upload_imageinc\SavePost.php:82
POST/wp-json/bfe/v1/upload_fileinc\SavePost.php:87

Shortcodes 9

[fus_form_login] inc\LoginRegisterShortcode.php:15
[fus_form_register] inc\LoginRegisterShortcode.php:16
[fus_custom_field_content] inc\shortcodes\FUSCustomFieldContent.php:6
[fus_google_map] inc\shortcodes\FUSGoogleMapsShortcode.php:7
[bfe-front-editor] inc\Shortcodes.php:10
[user_posts_list] inc\Shortcodes.php:12
[fe_fs_user_admin] inc\Shortcodes.php:14
[fe_form] inc\Shortcodes.php:16
[fus_display_field] inc\Shortcodes.php:18
WordPress Hooks 96
actioninitFrontUserSubmit.php:26
actionplugins_loadedFrontUserSubmit.php:28
filterpost_row_actionsFrontUserSubmit.php:30
actionBFE_activateFrontUserSubmit.php:32
actionBFE_deactivateFrontUserSubmit.php:34
actionwp_enqueue_scriptsFrontUserSubmit.php:76
actionadmin_footerFrontUserSubmit.php:77
filtershow_admin_barfunctions.php:38
actionpre_get_postsfunctions.php:79
actioninitinc\Blocks.php:21
actionenqueue_block_editor_assetsinc\Blocks.php:22
actionBFE_activateinc\DemoData.php:16
actionBFE_deactivateinc\DemoData.php:17
actioninitinc\DemoData.php:18
actioninitinc\DemoData.php:20
filterdisplay_post_statesinc\DemoData.php:30
actionwp_footerinc\EditorWidget.php:11
filterthe_contentinc\EditorWidget.php:13
filteradmin_post_form_formBuilder_settingsinc\fields\ActionHook.php:13
filteradmin_post_form_formBuilder_settingsinc\fields\ButtonField.php:18
filteradmin_post_form_formBuilder_settingsinc\fields\CheckboxGroupField.php:18
filteradmin_post_form_formBuilder_settingsinc\fields\DateField.php:18
filteradmin_post_form_formBuilder_settingsinc\fields\EditorJsField.php:28
filterbfe_front_editor_localize_datainc\fields\EditorJsField.php:30
actionbfe_ajax_after_front_editor_post_update_or_creationinc\fields\EditorJsField.php:35
filterbfe_front_editor_localize_datainc\fields\EditorJsField.php:38
filterfe_localize_post_html_contentinc\fields\EditorJsField.php:41
actionbfe_editor_on_front_field_addinginc\fields\EditorJsField.php:43
filteradmin_post_form_formBuilder_settingsinc\fields\FileField.php:18
actionrest_api_initinc\fields\FileField.php:19
filterbfe_front_editor_localize_datainc\fields\FileField.php:20
filteradmin_post_form_formBuilder_settingsinc\fields\GoogleMapField.php:18
filterbfe_front_editor_localize_datainc\fields\GoogleMapField.php:19
filteradmin_post_form_formBuilder_settingsinc\fields\GoogleRecaptcha.php:13
filteradmin_post_form_formBuilder_settingsinc\fields\hCaptcha.php:13
filteradmin_post_form_formBuilder_settingsinc\fields\HeaderField.php:18
filteradmin_post_form_formBuilder_settingsinc\fields\HiddenField.php:18
filteradmin_post_form_formBuilder_settingsinc\fields\MdEditor.php:28
actionbfe_ajax_after_front_editor_post_update_or_creationinc\fields\MdEditor.php:35
actionbfe_editor_on_front_field_addinginc\fields\MdEditor.php:37
actionbfe_ajax_before_post_update_or_creationinc\fields\MdEditor.php:40
filteradmin_post_form_formBuilder_settingsinc\fields\NumberField.php:18
filteradmin_post_form_formBuilder_settingsinc\fields\ParagraphField.php:18
filteradmin_post_form_formBuilder_settingsinc\fields\PostThumbField.php:19
actionbfe_editor_on_front_field_addinginc\fields\PostThumbField.php:20
filterbfe_ajax_before_front_editor_post_update_or_creationinc\fields\PostThumbField.php:26
filterbfe_front_editor_localize_datainc\fields\PostThumbField.php:35
filteradmin_post_form_formBuilder_settingsinc\fields\PostTitleField.php:19
actionfe_before_wp_admin_form_create_saveinc\fields\PostTitleField.php:21
actionbfe_editor_on_front_field_addinginc\fields\PostTitleField.php:23
actionbfe_ajax_before_post_update_or_creationinc\fields\PostTitleField.php:30
filterbfe_ajax_before_front_editor_post_update_or_creationinc\fields\PostTitleField.php:37
filterbfe_ajax_before_front_editor_post_update_or_creationinc\fields\PostTitleField.php:44
filteradmin_post_form_formBuilder_settingsinc\fields\RadioGroupField.php:18
filteradmin_post_form_formBuilder_settingsinc\fields\SelectField.php:18
filteradmin_post_form_formBuilder_settingsinc\fields\TaxonomiesFields.php:14
actionbfe_editor_on_front_field_addinginc\fields\TaxonomiesFields.php:15
filterbfe_ajax_before_front_editor_post_update_or_creationinc\fields\TaxonomiesFields.php:21
actionbfe_ajax_after_front_editor_post_update_or_creationinc\fields\TaxonomiesFields.php:30
filteradmin_post_form_formBuilder_settingsinc\fields\TextareaField.php:23
actionbfe_editor_on_front_field_addinginc\fields\TextareaField.php:25
actionbfe_ajax_after_front_editor_post_update_or_creationinc\fields\TextareaField.php:26
actionbfe_ajax_before_post_update_or_creationinc\fields\TextareaField.php:28
filteradmin_post_form_formBuilder_settingsinc\fields\TextField.php:18
filteradmin_post_form_formBuilder_settingsinc\fields\TinyMCE.php:18
actionbfe_editor_on_front_field_addinginc\fields\TinyMCE.php:19
actionbfe_ajax_after_front_editor_post_update_or_creationinc\fields\TinyMCE.php:25
actionbfe_ajax_before_post_update_or_creationinc\fields\TinyMCE.php:32
actioninitinc\Form.php:50
actionadmin_enqueue_scriptsinc\Form.php:55
actionrest_api_initinc\Form.php:66
actionbfe_ajax_after_front_editor_post_update_or_creationinc\FormMetaBox.php:25
actionadd_meta_boxesinc\FormMetaBox.php:26
actionsave_postinc\FormMetaBox.php:27
actioninitinc\LoginRegisterShortcode.php:19
actionwp_enqueue_scriptsinc\LoginRegisterShortcode.php:29
actionadmin_menuinc\MenuSettings.php:31
actionadmin_initinc\MenuSettings.php:69
actionadmin_initinc\MenuSettings.php:71
actionadmin_initinc\MenuSettings.php:73
actionbfe_front_editor_settings_before_forminc\MenuSettings.php:78
actionadmin_noticesinc\MenuSettings.php:83
actionadmin_enqueue_scriptsinc\MenuSettings.php:88
actionedit_form_after_titleinc\MenuSettings.php:107
actionbfe_ajax_after_front_editor_post_insertedinc\Notifications.php:9
actionbfe_ajax_after_front_editor_post_insertedinc\Notifications.php:11
actionpost_updatedinc\Notifications.php:13
actionsave_postinc\SavePost.php:28
actionfe_before_gallery_block_images_html_renderinc\SavePost.php:37
actionfe_before_simple_image_block_images_html_renderinc\SavePost.php:43
filterbfe_ajax_after_successfully_post_redirectinc\SavePost.php:52
filterbfe_ajax_after_successfully_post_editedinc\SavePost.php:58
actionrest_api_initinc\SavePost.php:68
actioninitinc\shortcodes\FUSCustomFieldContent.php:24
actioninitinc\shortcodes\FUSGoogleMapsShortcode.php:106
actionwp_enqueue_scriptsinc\UserAdmin.php:28
Maintenance & Trust

Guest posting / Frontend Posting / Front Editor – WP Front User Submit Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 16, 2026
PHP min version7.0
Downloads26K

Community Trust

Rating100/100
Number of ratings22
Active installs100
Alternatives

Guest posting / Frontend Posting / Front Editor – WP Front User Submit Alternatives

Easy Post Submission – Frontend Posting, Guest Publishing & Submit Content for WordPress

Easy Post Submission – Frontend Posting, Guest Publishing & Submit Content for WordPress

easy-post-submission

B
76

Enable users to submit posts and manage profiles from the front-end. Ideal for news, magazines, and creative platforms.

2K 1 unpatched
User Submitted Posts – Enable Users to Submit Posts from the Front End

User Submitted Posts – Enable Users to Submit Posts from the Front End

user-submitted-posts

B
76

Enable visitors to submit posts and images from the front-end of your site. Many features including anti-spam security, content restriction, and more.

10K 12 CVEs
Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin

Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin

frontend-post-submission-manager-lite

A
95

Frontend Post Submission with or without Login, 5 PreDesigned Form Templates, Add Unlimited Custom Fields, Google Captcha Security, Post Notifications

2K 4 CVEs
Submit Content

Submit Content

submit-content

A
85

Allows you to submit posts, and custom pots, from frontend.

10 No CVEs
BigIdeas

BigIdeas

bigideas

A
85

Allows a user to post an idea to an Ideas page at /Ideas/. A BuddyPress group with bbPress forum are automatically created when this post is published &hellip;

0 No CVEs
Developer Profile

Guest posting / Frontend Posting / Front Editor – WP Front User Submit Developer Profile

aharonyan

2 plugins · 200 total installs

59
trust score
Avg Security Score
72/100
Avg Patch Time
122 days
View full developer profile
Detection Fingerprints

How We Detect Guest posting / Frontend Posting / Front Editor – WP Front User Submit

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/front-editor/build/front.js/wp-content/plugins/front-editor/build/frontStyle.css/wp-content/plugins/front-editor/build/useradmin.js
Version Parameters
front-editor/build/front.asset.phpfront-editor/build/useradmin.asset.php

HTML / DOM Fingerprints

CSS Classes
bfe_front_editor_link
JS Globals
useradmin
FAQ

Frequently Asked Questions about Guest posting / Frontend Posting / Front Editor – WP Front User Submit