CVE-2026-9676

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published Jun 29, 2026

Vendor unknown

Description

The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.

References

https://wpscan.com/vulnerability/54627b10-115c-4434-a17b-eb680244889f/