Does User Submitted Posts – Enable Users to Submit Posts from the Front End have any unpatched vulnerabilities?

No. All known vulnerabilities in User Submitted Posts – Enable Users to Submit Posts from the Front End have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is User Submitted Posts – Enable Users to Submit Posts from the Front End compatible with WordPress 6.9.4?

According to WordPress.org data, User Submitted Posts – Enable Users to Submit Posts from the Front End 20260217 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

User Submitted Posts – Enable Users to Submit Posts from the Front End Security & Risk Analysis

wordpress.org/plugins/user-submitted-posts

Enable visitors to submit posts and images from the front-end of your site. Many features including anti-spam security, content restriction, and more.

10K active installs v20260217 PHP 5.6.20+ WP 4.7+ Updated Feb 17, 2026

frontend-postguest-postpublic-postsubmit-postvisitor-post

B · Generally Safe

CVEs total12

Unpatched0

Last CVEFeb 17, 2026

Plugin page Download

Safety Verdict

Is User Submitted Posts – Enable Users to Submit Posts from the Front End Safe to Use in 2026?

Mostly Safe

Score 76/100

User Submitted Posts – Enable Users to Submit Posts from the Front End is generally safe to use. 12 past CVEs were resolved. Keep it updated.

12 known CVEsLast CVE: Feb 17, 2026Updated 1mo ago

Risk Assessment

The "user-submitted-posts" plugin, with version v20260217, presents a mixed security posture. On the positive side, the static analysis reveals good practices in several key areas. All identified AJAX handlers and REST API routes appear to have authentication checks, and SQL queries are exclusively using prepared statements, which significantly mitigates SQL injection risks. The presence of nonce and capability checks further strengthens its defenses against common web attacks.

However, concerns arise from the plugin's vulnerability history, which shows a substantial number of known CVEs (12 total), including 2 critical and 3 high-severity issues. The common vulnerability types like Incorrect Authorization, Open Redirect, Cross-site Scripting, and Unrestricted File Upload indicate recurring weaknesses in input validation and access control. While there are currently no unpatched CVEs, the sheer volume and severity of past vulnerabilities suggest a historical pattern of security oversights. Furthermore, the taint analysis identified one flow with an unsanitized path, though it was not classified as critical or high severity, it still represents a potential, albeit low-level, risk that should be addressed.

In conclusion, while the current version has implemented some robust security measures, the plugin's past security record is a significant red flag. The potential for critical and high-severity vulnerabilities to re-emerge, coupled with the single unsanitized path identified in the taint analysis, means that users should exercise caution. Continuous monitoring for new vulnerabilities and thorough code audits are recommended for this plugin.

Key Concerns

High number of historical CVEs (2 critical, 3 high)
Taint flow with unsanitized path
73% output escaping (27% unescaped)
12 total known CVEs

Vulnerabilities

User Submitted Posts – Enable Users to Submit Posts from the Front End Security Vulnerabilities

CVEs by Year

1 CVE in 2016

2016

1 CVE in 2019

2019

4 CVEs in 2023

2023

1 CVE in 2024

2024

1 CVE in 2025

2025

4 CVEs in 2026

2026

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

12 total CVEs

CVE-2026-2126medium · 5.3Incorrect Authorization

User Submitted Posts <= 20260113 - Incorrect Authorization to Unauthenticated Category Restriction Bypass via 'user-submitted-category' Parameter

Feb 17, 2026 Patched in 20260217 (1d)

CVE-2026-0800high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

User Submitted Posts – Enable Users to Submit Posts from the Front End <= 20251210 - Unauthenticated Stored Cross-Site Scripting via Custom Field

Jan 23, 2026 Patched in 20260110 (1d)

CVE-2026-0913medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

User Submitted Posts <= 20260110 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'usp_access' Shortcode

Jan 15, 2026 Patched in 20260113 (1d)

CVE-2025-68509medium · 5.3URL Redirection to Untrusted Site ('Open Redirect')

User Submitted Posts <= 20251121 - Unauthenticated Open Redirect

Jan 1, 2026 Patched in 20251210 (5d)

CVE-2025-2874medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

User Submitted Posts <= 20241026 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 2, 2025 Patched in 20250327 (1d)

CVE-2024-5002medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

User Submitted Posts – Enable Users to Submit Posts from the Front End <= 20240319 - Authenticated (Admin+) Stored Cross-Site Scripting

Jun 22, 2024 Patched in 20240516 (49d)

CVE-2023-45603critical · 9.8Unrestricted Upload of File with Dangerous Type

User Submitted Posts <= 20230902 - Unauthenticated Arbitrary File Upload

Oct 10, 2023 Patched in 20230914 (105d)

CVE-2023-7251medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

User Submitted Posts <= 20230901 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Sep 6, 2023 Patched in 20230902 (232d)

CVE-2023-4779medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

User Submitted Posts – Enable Users to Submit Posts from the Front End <= 20230811 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Sep 5, 2023 Patched in 20230901 (140d)

CVE-2023-4308high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

User Submitted Posts <= 20230809 - Unauthenticated Stored Cross-Site Scripting via 'user-submitted-content'

Aug 14, 2023 Patched in 20230811 (548d)

CVE-2019-25138critical · 9.8Unrestricted Upload of File with Dangerous Type

User Submitted Posts <= 20190312 - Unauthenticated Arbitrary File Upload

May 2, 2019 Patched in 20190426 (1727d)

CVE-2016-11001high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

User Submitted Posts < 20160215 - Reflected Cross-Site Scripting

Feb 10, 2016 Patched in 20160215 (2904d)

Code Analysis

Analyzed Mar 16, 2026

User Submitted Posts – Enable Users to Submit Posts from the Front End Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

112

306 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared3 total queries

Output Escaping

73% escaped418 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

4 flows1 with unsanitized paths

usp_verify_recaptcha (user-submitted-posts.php:547)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

User Submitted Posts – Enable Users to Submit Posts from the Front End Attack Surface

Entry Points10

Unprotected0

AJAX Handlers 2

authwp_ajax_challenge_noncelibrary\enqueue-scripts.php:224

noprivwp_ajax_challenge_noncelibrary\enqueue-scripts.php:225

Shortcodes 8

[usp_access] library\shortcode-access.php:48

[usp_visitor] library\shortcode-access.php:92

[usp_member] library\shortcode-access.php:136

[usp-login-form] library\shortcode-login.php:209

[usp-reset-button] library\shortcode-misc.php:40

[usp_display_posts] library\shortcode-misc.php:144

[usp_gallery] library\shortcode-misc.php:180

[user-submitted-posts] user-submitted-posts.php:731

WordPress Hooks 31

filterthe_contentlibrary\core-functions.php:63

filterthe_contentlibrary\core-functions.php:165

filterthe_contentlibrary\core-functions.php:201

filterthe_contentlibrary\core-functions.php:242

filterthe_contentlibrary\core-functions.php:293

filterthe_contentlibrary\core-functions.php:344

actionwp_enqueue_scriptslibrary\enqueue-scripts.php:114

actionadmin_enqueue_scriptslibrary\enqueue-scripts.php:211

actionadmin_menulibrary\plugin-settings.php:12

actionadmin_initlibrary\plugin-settings.php:21

filterplugin_action_linkslibrary\plugin-settings.php:51

filterplugin_row_metalibrary\plugin-settings.php:76

filteradmin_footer_textlibrary\plugin-settings.php:99

filtersafe_style_csslibrary\plugin-settings.php:138

actionadmin_initlibrary\plugin-settings.php:165

actionupdated_optionlibrary\plugin-settings.php:999

actionadmin_noticeslibrary\plugin-settings.php:1277

actionadmin_initlibrary\plugin-settings.php:1300

actionadmin_initlibrary\plugin-settings.php:1329

filterthe_contentlibrary\shortcode-access.php:165

actioninituser-submitted-posts.php:105

actionadmin_inituser-submitted-posts.php:137

filterwidget_textuser-submitted-posts.php:156

actionparse_requestuser-submitted-posts.php:513

actionadd_meta_boxesuser-submitted-posts.php:678

actionrestrict_manage_postsuser-submitted-posts.php:767

actionparse_queryuser-submitted-posts.php:800

filterthe_authoruser-submitted-posts.php:822

actioninituser-submitted-posts.php:1735

actionwp_logoutuser-submitted-posts.php:1948

actionadmin_inituser-submitted-posts.php:1967

Maintenance & Trust

User Submitted Posts – Enable Users to Submit Posts from the Front End Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 17, 2026

PHP min version5.6.20

Downloads1.2M

Community Trust

Rating96/100

Number of ratings907

Active installs10K

Alternatives

User Submitted Posts – Enable Users to Submit Posts from the Front End Alternatives

Easy Post Submission – Frontend Posting, Guest Publishing & Submit Content for WordPress

easy-post-submission

Enable users to submit posts and manage profiles from the front-end. Ideal for news, magazines, and creative platforms.

2K 1 unpatched

Guest posting / Frontend Posting / Front Editor – WP Front User Submit

front-editor

This plugin enables users to submit post content from Front End. Use our plugin to implement guest posting

100 2 unpatched

Submit Content

submit-content

Allows you to submit posts, and custom pots, from frontend.

10 No CVEs

Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin

frontend-post-submission-manager-lite

Frontend Post Submission with or without Login, 5 PreDesigned Form Templates, Add Unlimited Custom Fields, Google Captcha Security, Post Notifications

2K 4 CVEs

UGC Creator

ugc-creator

Plugin for User-Generated Content: Get frontend post with an array of formatting and styling options to create stunning, professional-grade posts.

10 No CVEs

Developer Profile

User Submitted Posts – Enable Users to Submit Posts from the Front End Developer Profile

Jeff Starr

30 plugins · 1.2M total installs

trust score

Avg Security Score

98/100

Avg Patch Time

345 days

View full developer profile

Detection Fingerprints

How We Detect User Submitted Posts – Enable Users to Submit Posts from the Front End

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/user-submitted-posts/css/style.css/wp-content/plugins/user-submitted-posts/js/usp-scripts.js

Script Paths

/wp-content/plugins/user-submitted-posts/js/usp-scripts.js

Version Parameters

user-submitted-posts/css/style.css?ver=user-submitted-posts/js/usp-scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes

usp_form

HTML Comments

+2 more

Data Attributes

data-usp-actiondata-usp-id

JS Globals

usp_vars

Shortcode Output

[user-submitted-posts][usp_form][usp_login][usp_logout]

FAQ