Skip to main content

WS Form LITE CVE-2026-11562

| EUVDEUVD-2026-40915 MEDIUM
2026-07-01 WPScan GHSA-44m6-x3f3-q98j
4.3
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible settings endpoint, no interaction needed, but subscriber-level auth required (PR:L); only plugin settings integrity is affected, no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 01, 2026 - 11:26 vuln.today
CVSS changed
Jul 01, 2026 - 11:22 NVD
4.3 (None) 4.3 (MEDIUM)
Patch available
Jul 01, 2026 - 08:01 EUVD
CVE Published
Jul 01, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 01, 2026 - 06:00 cve.org
MEDIUM 4.3

DescriptionCVE.org

The WS Form LITE WordPress plugin before 1.11.8 does not have a capability check on one of its settings-update actions, allowing authenticated users with subscriber-level access and above to modify the WS Form LITE WordPress plugin before 1.11.8's settings.

AnalysisAI

Missing capability check in WS Form LITE WordPress plugin before 1.11.8 allows any authenticated subscriber-level WordPress user to modify the plugin's settings, an action that should be restricted to administrators. The CVSS vector (PR:L) confirms low-privilege authentication is sufficient, and a publicly available proof-of-concept has been documented by WPScan. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain subscriber-level WordPress account
Delivery
Identify target site running WS Form LITE <1.11.8
Exploit
Send crafted HTTP request to settings-update action
Execution
Bypass missing capability check
Impact
Modify plugin settings to attacker-controlled values

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress account at subscriber level or above - PR:L in the CVSS vector confirms this. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (Medium) reflects the limited scope: network-accessible (AV:N), low complexity (AC:L), requires low-privilege authentication (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or availability impact (C:N, A:N), and only partial integrity impact (I:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or logs in as a subscriber on a WordPress site running WS Form LITE before 1.11.8 - a plausible step on any site with open user registration or a membership model. Using the publicly available POC, the attacker sends a crafted HTTP request to the plugin's settings-update endpoint without administrator credentials, successfully modifying plugin configuration (e.g., altering form submission behavior, notification settings, or storage options). …
Remediation Vendor-released patch: upgrade WS Form LITE to version 1.11.8 or later, which introduces the missing capability check on the affected settings-update action. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11562 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy