[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsXZStqfI7WO1AMXaktbG5ERI3tmqfmYv4RWMQd4i1rk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-1867","guest-posting-frontend-posting-front-editor-wp-front-user-submit-unauthenticated-information-exposure","Guest posting \u002F Frontend Posting \u002F Front Editor – WP Front User Submit \u003C 5.0.6 - Unauthenticated Information Exposure","The Guest posting \u002F Frontend Posting \u002F Front Editor – WP Front User Submit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to 5.0.6 (exclusive). This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","front-editor",null,"\u003C5.0.6","5.0.6","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-03-12 00:00:00","2026-03-19 13:33:23",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb04a7ef8-13bb-455e-8ca8-22f3eec15bcb?source=api-prod",8,[22,23,24,25,26,27,28,29],"composer.json","composer.lock","front-editor.php","inc\u002FDemoData.php","inc\u002FEditor.php","inc\u002FForm.php","inc\u002FPostFormsListTable.php","package-lock.json","researched",false,3,"# Exploitation Research Plan - CVE-2026-1867\n\n## 1. Vulnerability Summary\nThe **WP Front User Submit (front-editor)** plugin for WordPress is vulnerable to **Unauthenticated Sensitive Information Exposure** in versions up to 5.0.6. \n\nThe vulnerability manifests in two primary ways:\n1. **Debug Endpoint Leak:** A hook in `inc\u002FDemoData.php` allows unauthenticated users to trigger a function that dumps the plugin's configuration (including potentially sensitive email settings and form structures) into a publicly accessible JSON file within the plugin directory.\n2. **Frontend Localization Leak:** The plugin enqueues a localized JavaScript object `editor_data` on any page containing the `[fe_form]` shortcode. If guest posting is enabled, this object is exposed to unauthenticated users and contains the entire `fe_form_settings` meta-array and a valid `wp_rest` nonce.\n\n## 2. Attack Vector Analysis\n- **Endpoints:**\n - **Vector 1 (Debug):** Any frontend URL with the query parameter `?default_form_data=1`.\n - **Vector 2 (Localization):** Any page containing the `[fe_form]` shortcode (by default, the plugin creates one at `\u002Ffront-user-submit-form\u002F`).\n- **Authentication:** None required (Unauthenticated).\n- **Preconditions:**\n - For Vector 1: The plugin directory `templates\u002F` must be","The WP Front User Submit plugin exposes sensitive information, including REST API nonces and full plugin configuration data, to unauthenticated users. This occurs through a debug endpoint that writes configuration to a public JSON file and via the frontend localization of form settings on pages where guest posting is enabled.","\u002F\u002F inc\u002FDemoData.php (around line 174 in v5.0.5)\n public static function json_generate()\n {\n\n if (!isset($_GET['default_form_data'])) {\n return;\n }\n\n $args = [\n 'post_type' => self::$post_type,\n 'post_name' => self::$post_name,\n ];\n\n $posts = get_posts($args);\n $data = [\n 'fe_post_updated_from_admin' => get_post_meta($posts[0]->ID, 'fe_post_updated_from_admin', true),\n 'formBuilderData' => get_post_meta($posts[0]->ID, 'formBuilderData', true),\n 'fe_form_settings' => get_post_meta($posts[0]->ID, 'fe_form_settings', true),\n ];\n\n $json = json_encode($data, JSON_PRETTY_PRINT);\n\n $file_json = self::$file_json_demo_data;\n $fp = fopen($file_json, 'w');\n fwrite($fp, $json);\n fclose($fp);\n\n do_action('qm\u002Fdebug', $json);\n }\n\n---\n\n\u002F\u002F inc\u002FEditor.php (around line 90 in v5.0.5)\n\t\t$data = [\n\t\t\t'ajax_url' => admin_url('admin-ajax.php'),\n\t\t\t'html_post_content' => apply_filters('fe_localize_post_html_content', [], $attributes, $post_id),\n\t\t\t'is_user_logged_in' => is_user_logged_in(),\n\t\t\t'rest_url_update_form' \t=> get_rest_url(null, 'bfe\u002Fv1\u002Fadd_or_update_post'),\n\t\t\t'nonce' => \twp_create_nonce('wp_rest'),\n\t\t\t'form_id' => $attributes['id'],\n\t\t\t'rest_url_image' \t=> get_rest_url(null, 'bfe\u002Fv1\u002Fupload_image'),\n\t\t\t'rest_url_upload_file' \t=> get_rest_url(null, 'bfe\u002Fv1\u002Fupload_file'),\n\t\t\t'rest_url_post_thumb_uploading_image' \t=> get_rest_url(null, 'bfe\u002Fv1\u002Fpost_thumb_uploading_image'),\n\t\t\t'form_settings' => $form_settings,\n \u002F\u002F ...\n\t\t];\n\n\t\t$wp_localize_data = apply_filters('bfe_front_editor_localize_data', $data, $attributes, $post_id);\n \u002F\u002F ...\n\t\t\u002F\u002F wp localize script is not working on Twenty Twenty-Three this solution helped\n\t\tprintf('\u003Cscript>var editor_data = %s\u003C\u002Fscript>', json_encode($wp_localize_data));","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffront-editor\u002F5.0.5\u002Finc\u002FDemoData.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffront-editor\u002F5.0.6\u002Finc\u002FDemoData.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffront-editor\u002F5.0.5\u002Finc\u002FDemoData.php\t2024-12-14 20:57:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffront-editor\u002F5.0.6\u002Finc\u002FDemoData.php\t2026-02-16 12:05:38.000000000 +0000\n@@ -18,7 +18,7 @@\n add_action('init', [__CLASS__, 'json_generate']);\n \n add_action('init', function () {\n- if (isset($_GET['ddd'])) {\n+ if (isset($_GET['ddd']) && current_user_can('manage_options')) {\n \n self::create_demo_page();\n }\n@@ -188,6 +188,10 @@\n return;\n }\n \n+ if (!current_user_can('manage_options')) {\n+ return;\n+ }\n+\n $args = [\n 'post_type' => self::$post_type,\n 'post_name' => self::$post_name,","The vulnerability can be exploited using two methods. First, an unauthenticated attacker can send a GET request to any WordPress page with the parameter `default_form_data=1`, which triggers the plugin to dump sensitive configuration data into `\u002Fwp-content\u002Fplugins\u002Ffront-editor\u002Ftemplates\u002Fdefault_form_data.json`, which is then publicly accessible. Second, if guest posting is enabled, an attacker can visit the frontend form page (typically `\u002Ffront-user-submit-form\u002F`) and inspect the page source for the `editor_data` JavaScript variable. This object contains the full `fe_form_settings` configuration and a valid `wp_rest` nonce, which can be leveraged for further unauthorized REST API interactions.","gemini-3-flash-preview","2026-04-18 04:14:29","2026-04-18 04:15:18",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.0.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffront-editor\u002Ftags\u002F5.0.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffront-editor.5.0.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffront-editor\u002Ftags\u002F5.0.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffront-editor.5.0.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffront-editor\u002Ftags"]