Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
REST endpoint is network-reachable with no auth or user interaction; broken check accepts any password, leaking password hashes and emails - confidentiality only.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/<id> (callback userDetail()) with permission_callback set to '__return_true', and the function's home-grown authentication only verifies that the supplied 'Username' HTTP header maps to an administrator account and that a 'Password' HTTP header is non-empty. It never validates the password with wp_check_password() (unlike the sibling delete_wc_user() function which does). This makes it possible for unauthenticated attackers to retrieve sensitive information for any registered user ID - including the WordPress password hash (user_pass) and email address - by sending a request with a valid administrator login name (commonly the default 'admin') and any arbitrary password value.
Articles & Coverage 1
AnalysisAI
Information disclosure in the WP Forms Connector WordPress plugin (versions through 1.8) allows unauthenticated remote attackers to retrieve any user's password hash and email address via the wp/v3/user/list/<id> REST route. The endpoint's permission_callback is hard-coded to __return_true and the bespoke auth check verifies only that the Username header maps to an administrator (typically 'admin') without ever calling wp_check_password() to validate the supplied Password header. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the target WordPress site has WP Forms Connector ≤1.8 installed and active and that its REST API is reachable from the attacker (the WordPress default). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to a real, high-priority exposure rather than a paper-only CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker enumerates WordPress sites running WP Forms Connector via plugin fingerprinting, then sends an HTTP GET to /wp-json/wp/v3/user/list/1 with the header 'Username: admin' and 'Password: anything'; the broken permission check accepts the request and the JSON response returns the administrator's email and PHPass password hash. The attacker iterates over user IDs to harvest every account's hash, then runs hashcat offline to recover plaintext passwords and pivots to wp-login.php for full site takeover. … |
| Remediation | No vendor-released patch identified at time of analysis - the Wordfence write-up and the plugin's trac source still reference version 1.8 as the latest vulnerable release, so operators cannot yet rely on a simple upgrade. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Disable and remove WP Forms Connector versions 1.8 and earlier from all WordPress installations; immediately force password reset for all user accounts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wp Forms Connector
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38689
GHSA-q7pg-wxgw-7v4g