Skip to main content

Toolset Forms EUVDEUVD-2026-39722

| CVE-2026-56069 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-26 audit@patchstack.com GHSA-xmxx-qpv3-jjw8
7.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable IDOR (AV:N/AC:L/PR:N/UI:N) where object manipulation disrupts plugin-managed records, giving availability impact only, consistent with the reported C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:56 vuln.today

DescriptionCVE.org

Unauthenticated Insecure Direct Object References (IDOR) in Toolset Forms <= 2.6.24 versions.

AnalysisAI

Availability-impacting Insecure Direct Object Reference in the WordPress Toolset Forms (CRED Frontend Editor) plugin version 2.6.24 and earlier lets unauthenticated remote attackers manipulate object identifiers to act on records they should not control. The flaw was reported by Patchstack and carries CVSS 7.5; no public exploit code has been identified at time of analysis, and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running Toolset Forms
Delivery
Locate public front-end form endpoint
Exploit
Manipulate object ID parameter
Execution
Submit unauthenticated request
Impact
Disrupt targeted plugin-managed object

Vulnerability AssessmentAI

Exploitation Exploitation requires only that a public-facing Toolset Forms (CRED Frontend Editor) front-end form endpoint is reachable on the target WordPress site, which is the plugin's intended deployment mode; per the CVSS vector (AV:N/AC:L/PR:N/UI:N) no authentication, no user interaction, and no special configuration are needed beyond the plugin being installed at version 2.6.24 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are partially conflicting and should be read carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crawls a target WordPress site, identifies a public Toolset Forms front-end endpoint, and submits requests while incrementing or substituting the object identifier parameter. Because the endpoint does not verify ownership and requires no authentication, the attacker triggers actions against form-managed objects belonging to other users, disrupting the availability of that content. …
Remediation No vendor-released patch version was identified in the available data; the advisory only confirms that versions up to and including 2.6.24 are vulnerable, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/cred-frontend-editor/vulnerability/wordpress-toolset-forms-plugin-2-6-24-insecure-direct-object-references-idor-vulnerability?_s_id=cve) and the OnTheGoSystems/Toolset changelog for a fixed release above 2.6.24 and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress deployments for Toolset Forms plugin version 2.6.24 or earlier; disable the CRED Frontend Editor if operationally feasible, or restrict network access via firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39722 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy