The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 allows passing a URL parameter to regenerate a .json file based on demo data that it initially creates. If an administrator modifies the demo form and enables admin notifications in the Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6's settings, it is possible for an unauthenticated attacker to export and download all of the form data/settings, including the administrator's email address.
CVE-2026-1867
NONE
EPSS 0.04%
Updated Mar 11, 2026
WordPress
CVE Details
CVE ID
CVE-2026-1867
Published Date
Mar 11, 2026
Vendor
WordPress
Severity
NONE
Exploit Prediction (EPSS)
Probability of Exploit
0.04%
Likelihood of exploitation in next 30 days
Percentile:
13.1th percentile (higher than 13.1% of all CVEs)
Standard patching cycle
Impact
Minimal impact
Source
View Advisory