Medium severity4.4NVD Advisory· Published May 2, 2024· Updated Apr 15, 2026

CVE-2024-2967

Description

The Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in all versions up to, and including, 4.4.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in WP Front User Submit plugin (<=4.4.7) allows admin-level attackers to inject scripts via form settings on multisite or when unfiltered_html is disabled.

The WP Front User Submit plugin (versions up to and including 4.4.7) contains a Stored Cross-Site Scripting (XSS) vulnerability in its form settings. The root cause is insufficient input sanitization and output escaping, allowing malicious script injection into pages [1].

Exploitation requires authenticated access with administrator-level permissions or higher. The vulnerability is only exploitable on multi-site installations or on single-site installations where the unfiltered_html capability has been disabled [1].

An attacker can inject arbitrary web scripts that execute whenever a user accesses the affected page. This can lead to session hijacking, defacement, or redirection to malicious sites, compromising the integrity of the WordPress instance [1].

Mitigation involves updating the plugin to a version newer than 4.4.7. Users should monitor the plugin's update page for the patched release. As a workaround, restrict admin-level access to trusted users only [1].

References

Guest posting / Frontend Posting / Front Editor – WP Front User Submit

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Front Editorreferences2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=4.4.7
Package: https://wordpress.org/plugins/front-editor

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.286
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000