Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
1DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in bgermann CformsII allows Cross Site Request Forgery.
This issue affects CformsII: from n/a through 15.1.3.
AnalysisAI
Cross-Site Request Forgery in the CformsII WordPress plugin (bgermann) through version 15.1.3 allows remote unauthenticated attackers to coerce an authenticated victim into submitting forged state-changing requests, resulting in limited integrity loss and high availability impact. No public exploit identified at time of analysis and EPSS sits at 0.01% (4th percentile), indicating very low near-term exploitation probability, and SSVC marks exploitation as none. Patchstack tracks the issue and EUVD-2026-31766 mirrors the advisory.
Technical ContextAI
CformsII is a WordPress contact/form-building plugin maintained by bgermann (CPE cpe:2.3:a:bgermann:cformsii). The root cause class is CWE-352 (Cross-Site Request Forgery), meaning sensitive state-changing endpoints in the plugin's admin or form-processing handlers do not validate a per-session WordPress nonce (wp_nonce_field / check_admin_referer) or equivalent anti-CSRF token. As a result, requests originating from an attacker-controlled page are processed as if they were issued intentionally by the logged-in administrator, leveraging the victim's existing WordPress session cookies.
RemediationAI
No vendor-released patch identified at time of analysis - neither the Patchstack advisory nor EUVD record cites a fixed version beyond 15.1.3, so administrators should monitor the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/cforms2/vulnerability/wordpress-cformsii-plugin-15-1-3-cross-site-request-forgery-csrf-vulnerability) for an upcoming release and upgrade as soon as one is published. In the interim, consider deactivating CformsII if it is not business-critical (trade-off: contact forms break), restricting wp-admin access to known IPs via web server ACLs or a WAF rule (trade-off: blocks remote admins on dynamic IPs), enabling a WAF ruleset such as Patchstack/Wordfence that flags missing-nonce POSTs to plugin endpoints, and training site administrators to log out of WordPress before browsing untrusted sites to neutralize the required UI:R step.
Unrestricted file upload vulnerability in lib_nonajax.php in the CformsII plugin 14.7 and earlier for WordPress allows r
The cforms2 plugin before 15.0.2 for WordPress has CSRF related to the IP address field. Rated high severity (CVSS 8.8),
Cross-Site Request Forgery (CSRF) vulnerability in Oliver Seidel, Bastian Germann cformsII plugin <= 15.0.4 versions. Ra
Stored/reflected cross-site scripting in the CformsII WordPress plugin (versions ≤ 15.1.3) allows unauthenticated remote
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31766
GHSA-9hvq-88wh-f99r