Skip to main content

WP Forms Connector EUVDEUVD-2026-38689

| CVE-2026-9178 HIGH
Missing Authorization (CWE-862)
2026-06-24 Wordfence GHSA-q7pg-wxgw-7v4g
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

REST endpoint is network-reachable with no auth or user interaction; broken check accepts any password, leaking password hashes and emails - confidentiality only.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 06:52 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
HIGH 7.5

DescriptionCVE.org

The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/<id> (callback userDetail()) with permission_callback set to '__return_true', and the function's home-grown authentication only verifies that the supplied 'Username' HTTP header maps to an administrator account and that a 'Password' HTTP header is non-empty. It never validates the password with wp_check_password() (unlike the sibling delete_wc_user() function which does). This makes it possible for unauthenticated attackers to retrieve sensitive information for any registered user ID - including the WordPress password hash (user_pass) and email address - by sending a request with a valid administrator login name (commonly the default 'admin') and any arbitrary password value.

AnalysisAI

Information disclosure in the WP Forms Connector WordPress plugin (versions through 1.8) allows unauthenticated remote attackers to retrieve any user's password hash and email address via the wp/v3/user/list/<id> REST route. The endpoint's permission_callback is hard-coded to __return_true and the bespoke auth check verifies only that the Username header maps to an administrator (typically 'admin') without ever calling wp_check_password() to validate the supplied Password header. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Fingerprint WordPress site running WP Forms Connector
Delivery
Send REST request to wp/v3/user/list/<id> with admin Username header
Exploit
Bypass broken permission_callback check
Execution
Receive user_pass hash and email in JSON response
Persist
Crack PHPass hash offline
Impact
Authenticate to wp-login.php as administrator

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the target WordPress site has WP Forms Connector ≤1.8 installed and active and that its REST API is reachable from the attacker (the WordPress default). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to a real, high-priority exposure rather than a paper-only CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates WordPress sites running WP Forms Connector via plugin fingerprinting, then sends an HTTP GET to /wp-json/wp/v3/user/list/1 with the header 'Username: admin' and 'Password: anything'; the broken permission check accepts the request and the JSON response returns the administrator's email and PHPass password hash. The attacker iterates over user IDs to harvest every account's hash, then runs hashcat offline to recover plaintext passwords and pivots to wp-login.php for full site takeover. …
Remediation No vendor-released patch identified at time of analysis - the Wordfence write-up and the plugin's trac source still reference version 1.8 as the latest vulnerable release, so operators cannot yet rely on a simple upgrade. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable and remove WP Forms Connector versions 1.8 and earlier from all WordPress installations; immediately force password reset for all user accounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38689 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy