Skip to main content

CformsII CVE-2026-39436

| EUVDEUVD-2026-31766 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-25 Patchstack GHSA-9hvq-88wh-f99r
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 09:45 vuln.today

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in bgermann CformsII allows Cross Site Request Forgery.

This issue affects CformsII: from n/a through 15.1.3.

AnalysisAI

Cross-Site Request Forgery in the CformsII WordPress plugin (bgermann) through version 15.1.3 allows remote unauthenticated attackers to coerce an authenticated victim into submitting forged state-changing requests, resulting in limited integrity loss and high availability impact. No public exploit identified at time of analysis and EPSS sits at 0.01% (4th percentile), indicating very low near-term exploitation probability, and SSVC marks exploitation as none. Patchstack tracks the issue and EUVD-2026-31766 mirrors the advisory.

Technical ContextAI

CformsII is a WordPress contact/form-building plugin maintained by bgermann (CPE cpe:2.3:a:bgermann:cformsii). The root cause class is CWE-352 (Cross-Site Request Forgery), meaning sensitive state-changing endpoints in the plugin's admin or form-processing handlers do not validate a per-session WordPress nonce (wp_nonce_field / check_admin_referer) or equivalent anti-CSRF token. As a result, requests originating from an attacker-controlled page are processed as if they were issued intentionally by the logged-in administrator, leveraging the victim's existing WordPress session cookies.

RemediationAI

No vendor-released patch identified at time of analysis - neither the Patchstack advisory nor EUVD record cites a fixed version beyond 15.1.3, so administrators should monitor the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/cforms2/vulnerability/wordpress-cformsii-plugin-15-1-3-cross-site-request-forgery-csrf-vulnerability) for an upcoming release and upgrade as soon as one is published. In the interim, consider deactivating CformsII if it is not business-critical (trade-off: contact forms break), restricting wp-admin access to known IPs via web server ACLs or a WAF rule (trade-off: blocks remote admins on dynamic IPs), enabling a WAF ruleset such as Patchstack/Wordfence that flags missing-nonce POSTs to plugin endpoints, and training site administrators to log out of WordPress before browsing untrusted sites to neutralize the required UI:R step.

Share

CVE-2026-39436 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy