CVE-2026-11570 User Submitted Posts < 20260608 - Unauthenticated Stored XSS via Author Name
The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting that can be triggered by unauthenticated users when a non-default display option is enabled...