GHSA-m9qg-5xmj-j7ggMediumCVSS 4.3

The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce...

Published
June 29, 2026
Last Modified
June 29, 2026

🔗 CVE IDs covered (1)

📋 Description

The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.

🔗 References (3)