Vulnerability Brief

CVE-2026-9676

What this means for your business

If a security vulnerability is left unpatched in a widely used plugin like the F4 Post Tree plugin for WordPress, it can allow unauthorized users to make unintended changes to your website's content, potentially disrupting your business operations and damaging your reputation. This could result in lost revenue, damaged customer relationships, and wasted time and resources spent on repairs. To minimize these risks, it's essential to regularly update your plugins and take prompt action to address any identified vulnerabilities.

Severity: MEDIUM
CVSS score: 4.3

Technical summary

The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.