Skip to main content

Ultra Addons for WPForms EUVDEUVD-2026-36970

| CVE-2026-39594 MEDIUM
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-576q-jmx2-x785
6.4
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
vuln.today AI
6.4 MEDIUM

PR:L because subscriber account is required; S:C because actions affect WordPress components beyond the plugin; no confidentiality impact identified.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 23:10 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in Ultra Addons for WPForms <= 1.0.11 versions.

AnalysisAI

Broken access control in Ultra Addons for WPForms (WordPress plugin by Themefic) through version 1.0.11 allows authenticated subscriber-level users to perform privileged actions beyond their intended role. The vulnerability stems from missing authorization checks (CWE-862), enabling a low-privilege attacker with only a subscriber account to manipulate plugin functionality in ways restricted to higher-privilege roles such as administrators or editors. With a CVSS 3.1 score of 6.4 Medium and a scope-changed vector, the impact extends beyond the plugin itself to affect WordPress site integrity and availability. No public exploit code and no confirmed active exploitation have been identified at time of analysis.

Technical ContextAI

Ultra Addons for WPForms is a WordPress plugin developed by Themefic (CPE: cpe:2.3:a:themefic:ultra_addons_for_wpforms:*:*:*:*:*:*:*:*) that extends the WPForms form builder. The root cause is CWE-862 (Missing Authorization), a class of vulnerability where PHP functions or AJAX handlers registered by the plugin fail to verify whether the calling user holds sufficient capabilities before executing privileged operations. In WordPress, subscriber is the lowest authenticated role and should have no administrative access. The CVSS scope change (S:C) indicates the missing check allows actions that affect resources or components outside the plugin's own security scope - likely WordPress site content, settings, or form data managed by WPForms itself. This pattern is extremely common in WordPress plugin ecosystems where AJAX action callbacks omit current_user_can() checks or rely solely on nonce verification without capability gating.

RemediationAI

The primary remediation is to update Ultra Addons for WPForms to a version released after 1.0.11; however, a specific patched version number is not confirmed in the available intelligence - verify the current version in the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/ultra-addons-for-wpforms/vulnerability/wordpress-ultra-addons-for-wpforms-plugin-1-0-11-broken-access-control-vulnerability before updating. If an update is not yet available or cannot be applied immediately, disable user registration on the WordPress site (Settings > General > uncheck 'Anyone can register') to eliminate the subscriber-level attack surface entirely - this prevents untrusted users from obtaining the minimum privilege required to exploit the flaw, though it also prevents legitimate new user sign-ups. Alternatively, a web application firewall rule (e.g., via Patchstack Shield or Wordfence) that blocks unauthorized AJAX calls to the plugin's endpoints can serve as a temporary compensating control without requiring registration to be disabled. Deactivating the plugin until a confirmed patched version is available is the most conservative option if WPForms addons functionality is not critical.

Share

EUVD-2026-36970 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy