CVE-2026-9676

Summary

The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.

Affected Software

VendorProductVersion RangeStatus
UnknownF4 Post Tree0 < 2.0.5affected

Weaknesses

  • CWE-862 Missing Authorization
  • CWE-352 Cross-Site Request Forgery (CSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References