Guest posting / Frontend Posting / Front Editor – WP Front User Submit < 5.0.6 - Unauthenticated Information Exposure
Description
The Guest posting / Frontend Posting / Front Editor – WP Front User Submit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to 5.0.6 (exclusive). This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
What Changed in the Fix
Changes introduced in v5.0.6
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-1867 ## 1. Vulnerability Summary The **WP Front User Submit (front-editor)** plugin for WordPress is vulnerable to **Unauthenticated Sensitive Information Exposure** in versions up to 5.0.6. The vulnerability manifests in two primary ways: 1. **Debug Endpo…
Show full research plan
Exploitation Research Plan - CVE-2026-1867
1. Vulnerability Summary
The WP Front User Submit (front-editor) plugin for WordPress is vulnerable to Unauthenticated Sensitive Information Exposure in versions up to 5.0.6.
The vulnerability manifests in two primary ways:
- Debug Endpoint Leak: A hook in
inc/DemoData.phpallows unauthenticated users to trigger a function that dumps the plugin's configuration (including potentially sensitive email settings and form structures) into a publicly accessible JSON file within the plugin directory. - Frontend Localization Leak: The plugin enqueues a localized JavaScript object
editor_dataon any page containing the[fe_form]shortcode. If guest posting is enabled, this object is exposed to unauthenticated users and contains the entirefe_form_settingsmeta-array and a validwp_restnonce.
2. Attack Vector Analysis
- Endpoints:
- Vector 1 (Debug): Any frontend URL with the query parameter
?default_form_data=1. - Vector 2 (Localization): Any page containing the
[fe_form]shortcode (by default, the plugin creates one at/front-user-submit-form/).
- Vector 1 (Debug): Any frontend URL with the query parameter
- Authentication: None required (Unauthenticated).
- Preconditions:
- For Vector 1: The plugin directory
templates/must be
- For Vector 1: The plugin directory
Summary
The WP Front User Submit plugin exposes sensitive information, including REST API nonces and full plugin configuration data, to unauthenticated users. This occurs through a debug endpoint that writes configuration to a public JSON file and via the frontend localization of form settings on pages where guest posting is enabled.
Vulnerable Code
// inc/DemoData.php (around line 174 in v5.0.5) public static function json_generate() { if (!isset($_GET['default_form_data'])) { return; } $args = [ 'post_type' => self::$post_type, 'post_name' => self::$post_name, ]; $posts = get_posts($args); $data = [ 'fe_post_updated_from_admin' => get_post_meta($posts[0]->ID, 'fe_post_updated_from_admin', true), 'formBuilderData' => get_post_meta($posts[0]->ID, 'formBuilderData', true), 'fe_form_settings' => get_post_meta($posts[0]->ID, 'fe_form_settings', true), ]; $json = json_encode($data, JSON_PRETTY_PRINT); $file_json = self::$file_json_demo_data; $fp = fopen($file_json, 'w'); fwrite($fp, $json); fclose($fp); do_action('qm/debug', $json); } --- // inc/Editor.php (around line 90 in v5.0.5) $data = [ 'ajax_url' => admin_url('admin-ajax.php'), 'html_post_content' => apply_filters('fe_localize_post_html_content', [], $attributes, $post_id), 'is_user_logged_in' => is_user_logged_in(), 'rest_url_update_form' => get_rest_url(null, 'bfe/v1/add_or_update_post'), 'nonce' => wp_create_nonce('wp_rest'), 'form_id' => $attributes['id'], 'rest_url_image' => get_rest_url(null, 'bfe/v1/upload_image'), 'rest_url_upload_file' => get_rest_url(null, 'bfe/v1/upload_file'), 'rest_url_post_thumb_uploading_image' => get_rest_url(null, 'bfe/v1/post_thumb_uploading_image'), 'form_settings' => $form_settings, // ... ]; $wp_localize_data = apply_filters('bfe_front_editor_localize_data', $data, $attributes, $post_id); // ... // wp localize script is not working on Twenty Twenty-Three this solution helped printf('<script>var editor_data = %s</script>', json_encode($wp_localize_data));
Security Fix
@@ -18,7 +18,7 @@ add_action('init', [__CLASS__, 'json_generate']); add_action('init', function () { - if (isset($_GET['ddd'])) { + if (isset($_GET['ddd']) && current_user_can('manage_options')) { self::create_demo_page(); } @@ -188,6 +188,10 @@ return; } + if (!current_user_can('manage_options')) { + return; + } + $args = [ 'post_type' => self::$post_type, 'post_name' => self::$post_name,
Exploit Outline
The vulnerability can be exploited using two methods. First, an unauthenticated attacker can send a GET request to any WordPress page with the parameter `default_form_data=1`, which triggers the plugin to dump sensitive configuration data into `/wp-content/plugins/front-editor/templates/default_form_data.json`, which is then publicly accessible. Second, if guest posting is enabled, an attacker can visit the frontend form page (typically `/front-user-submit-form/`) and inspect the page source for the `editor_data` JavaScript variable. This object contains the full `fe_form_settings` configuration and a valid `wp_rest` nonce, which can be leveraged for further unauthorized REST API interactions.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.