The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting that can be triggered by unauthenticated users when a non-default display option is enabled.
https://wpscan.com/vulnerability/35c33c56-5b12-4be5-9d45-68f47cd854ec/