Skip to main content

Advanced Form Integration CVE-2026-42659

| EUVD-2026-36824 MEDIUM
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-7gmg-2w3g-286j
Authentication Bypass Advanced Form Integration
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Network-exploitable WordPress AJAX endpoint requiring only a subscriber session; no confidentiality or availability impact described, only integrity modification of plugin settings.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 23:01 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in Advanced Form Integration <= 1.126.12 versions.

AnalysisAI

Broken Access Control in the Advanced Form Integration WordPress plugin (versions ≤ 1.126.12) allows authenticated subscriber-level users to perform privileged actions that should be restricted to administrators, due to missing authorization checks (CWE-862). The flaw carries a CVSS 3.1 score of 6.5 with high integrity impact (I:H), meaning a low-privilege attacker can substantially alter plugin or form integration configurations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain WordPress subscriber account
Delivery
Send crafted authenticated HTTP request to unprotected plugin endpoint
Exploit
Bypass missing capability check (CWE-862)
Execution
Modify form integration configuration or third-party API targets
Impact
Harvest or corrupt subsequent form submission data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress account at subscriber level or above on the target site running Advanced Form Integration ≤ 1.126.12. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N reflects a network-exploitable flaw requiring only low-privilege authentication, no user interaction, and no special configuration - resulting in high integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site running Advanced Form Integration ≤ 1.126.12 (or uses an already-compromised low-privilege credential), then sends a crafted authenticated HTTP POST request to a plugin AJAX endpoint that lacks capability checks. The missing authorization allows the attacker to overwrite form integration settings - for example, redirecting form submissions to an attacker-controlled third-party webhook - thereby silently harvesting all future user-submitted data including contact details, credentials, or payment information. …
Remediation Update the Advanced Form Integration plugin to a version beyond 1.126.12 once the vendor (Nasir Ahmed) releases a patched build - an exact fixed version has not been independently confirmed from the available data, so monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/advanced-form-integration/vulnerability/wordpress-advanced-form-integration-plugin-1-126-12-broken-access-control-vulnerability and the official WordPress plugin repository for an updated release. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-42659 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy