CVE-2026-9676
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
The F4 Post Tree WordPress plugin before version 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.
Risk Assessment
The risk is that an attacker with low privileges can alter the structure and order of any posts, potentially leading to content disorganization, navigation manipulation, or hiding important information.
Recommendation
It is recommended to immediately update the F4 Post Tree plugin to version 2.0.5 or later, which includes the necessary security fixes.
Original NVD description (English source)
The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.

