CVE-2026-1867

The vulnerability resides in the Guest posting / Frontend Posting / Front Editor WordPress plugin (also known as WP Front User Submit) versions before 5.0.6. The plugin initially creates a .json file based on demo data and allows passing a URL parameter to regenerate this file. If an administrator modifies the demo form and enables admin notifications in the plugin's settings, the regenerated .json file includes all form data and settings.

An unauthenticated attacker can exploit this by simply supplying the appropriate URL parameter to trigger the regeneration process. No authentication is required. After the file is regenerated, the attacker can download the .json file, as it is publicly accessible.

The impact is sensitive information disclosure. The exposed .json file contains the administrator's email address and all form configurations. This could enable targeted phishing attacks or further compromise of the WordPress site. The attacker does not gain direct administrative access but obtains valuable intelligence.

The vulnerability has been fixed in version 5.0.6 of the plugin. Users are strongly advised to update immediately. The plugin vendor has confirmed the fix and the issue was publicly disclosed on 2026-02-18 [1].