Description

The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.

Weaknesses

  • — CWE-862 Missing Authorization
  • — CWE-352 Cross-Site Request Forgery (CSRF)

Affected products

VendorProductVersions
UnknownF4 Post Tree0 to <2.0.5

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 29 Jun 2026 07:08 UTC.