Skip to main content

Form Notify CVE-2026-5229

| EUVDEUVD-2026-30516 CRITICAL
Improper Authentication (CWE-287)
2026-05-15 Wordfence GHSA-6cpv-j32f-rqmr
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 15, 2026 - 09:30 vuln.today
Analysis Generated
May 15, 2026 - 09:30 vuln.today
CVE Published
May 15, 2026 - 07:46 nvd
CRITICAL 9.8

DescriptionCVE.org

The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to authenticate after a LINE OAuth login. When LINE doesn't provide an email address (which is common), the plugin falls back to reading the 'form_notify_line_email' cookie value without verifying that the LINE account is associated with that email address. This makes it possible for unauthenticated attackers to gain access to any user account on the site, including administrator accounts, by completing a LINE OAuth flow with their own LINE account while injecting a malicious cookie containing the target victim's email address.

AnalysisAI

Authentication bypass in Form Notify WordPress plugin versions ≤1.1.10 allows remote unauthenticated attackers to gain administrator access through LINE OAuth flow manipulation. Attackers exploit the plugin's trust of the 'form_notify_line_email' cookie when LINE OAuth doesn't return an email address, authenticating as any site user by injecting a cookie containing the victim's email while completing OAuth with their own LINE account. Wordfence reported this vulnerability with proof-of-concept code available via GitHub commit diffs. EPSS data not available, but the CVSS 9.8 score and network vector with no authentication requirement indicate critical severity. No CISA KEV listing at time of analysis.

Technical ContextAI

This vulnerability stems from insecure OAuth implementation (CWE-287: Improper Authentication) in the Form Notify plugin's LINE Login integration. LINE's OAuth provider optionally returns user email addresses, and when omitted, the plugin implemented a fallback mechanism reading the 'form_notify_line_email' cookie without cryptographic verification or binding to the OAuth session state. The affected code in src/APIs/Line/Login/Route.php (lines 116-118 in version 1.1.08) blindly trusts client-controlled cookie data to map LINE accounts to WordPress users. The vulnerable logic allows session fixation attacks where attackers control both the OAuth state and the email association. The CPE string identifies this as the 'Receive Notifications After Form Submitting - Form Notify for Any Forms' plugin by developer m615926. The fix in version 1.1.10 eliminates cookie-based email fallback entirely, instead generating synthetic email addresses (@line.com domain) for LINE accounts without verified emails and adding a has_real_email flag to prevent authentication bypass.

RemediationAI

Upgrade immediately to Form Notify version 1.1.10 or later, confirmed patched per WordPress plugin changeset 3517908 at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3517908%40form-notify&new=3517908%40form-notify. The fix commits (https://github.com/oberonlai/form-notify/commit/5eab0ea and https://github.com/oberonlai/form-notify/commit/9780764) remove cookie-based email fallback logic entirely and implement has_real_email flag validation to prevent authentication bypass. If immediate patching is not possible, disable LINE Login functionality in Form Notify plugin settings as a temporary mitigation - this eliminates the vulnerable OAuth flow but breaks LINE-based authentication for legitimate users. Alternatively, implement web application firewall rules to block requests containing 'form_notify_line_email' cookies during LINE OAuth callbacks, though this workaround may have side effects on legitimate OAuth flows and requires careful testing. For sites not actively using LINE Login integration, completely disable or uninstall the Form Notify plugin until patching. No compensating controls can fully mitigate this vulnerability while LINE Login remains enabled with vulnerable code.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-5229 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy