Skip to main content

FormLayer CVE-2026-59519

| EUVDEUVD-2026-41783 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-07-05 Patchstack GHSA-j5vc-c5q7-5fjm
5.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible unauthenticated endpoint leaks limited sensitive data; no integrity, availability, or scope-change impact supported by description.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 22:17 vuln.today

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in Softaculous FormLayer allows Retrieve Embedded Sensitive Data.

This issue affects FormLayer: from n/a through 1.0.6.

AnalysisAI

Sensitive data exposure in Softaculous FormLayer WordPress plugin through version 1.0.6 allows remote unauthenticated attackers to retrieve embedded sensitive information from data transmitted by the plugin. The root cause (CWE-201) indicates the plugin inserts sensitive content - potentially API keys, tokens, or internal configuration - into outbound data visible to requesting clients. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with FormLayer active
Delivery
Request public form page or plugin API endpoint
Exploit
Inspect HTTP response for sensitive embedded data
Execution
Extract credentials, tokens, or keys from response
Impact
Leverage retrieved data against downstream services

Vulnerability AssessmentAI

Exploitation No special conditions required beyond the target WordPress site having the FormLayer plugin installed, activated, and serving at least one form page or plugin endpoint accessible to unauthenticated visitors. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.3 (Medium) correctly reflects bounded impact: confidentiality is partially compromised (C:L) but integrity and availability are unaffected (I:N/A:N), and scope is unchanged (S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker visits a WordPress site running FormLayer through version 1.0.6, loads a public form page or sends a direct request to a plugin-registered endpoint, and inspects the HTTP response body or JavaScript payload. The plugin's outbound data contains embedded sensitive information - such as an API key or internal token - which the attacker extracts and uses for further unauthorized access to connected services.
Remediation Update FormLayer to a version above 1.0.6 if a patched release has been published to the WordPress plugin repository or Softaculous directly. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59519 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy