Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unauthenticated network-reachable IDOR (AV:N/AC:L/PR:N/UI:N) where object manipulation disrupts plugin-managed records, giving availability impact only, consistent with the reported C:N/I:N/A:H.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Insecure Direct Object References (IDOR) in Toolset Forms <= 2.6.24 versions.
AnalysisAI
Availability-impacting Insecure Direct Object Reference in the WordPress Toolset Forms (CRED Frontend Editor) plugin version 2.6.24 and earlier lets unauthenticated remote attackers manipulate object identifiers to act on records they should not control. The flaw was reported by Patchstack and carries CVSS 7.5; no public exploit code has been identified at time of analysis, and it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that a public-facing Toolset Forms (CRED Frontend Editor) front-end form endpoint is reachable on the target WordPress site, which is the plugin's intended deployment mode; per the CVSS vector (AV:N/AC:L/PR:N/UI:N) no authentication, no user interaction, and no special configuration are needed beyond the plugin being installed at version 2.6.24 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are partially conflicting and should be read carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crawls a target WordPress site, identifies a public Toolset Forms front-end endpoint, and submits requests while incrementing or substituting the object identifier parameter. Because the endpoint does not verify ownership and requires no authentication, the attacker triggers actions against form-managed objects belonging to other users, disrupting the availability of that content. … |
| Remediation | No vendor-released patch version was identified in the available data; the advisory only confirms that versions up to and including 2.6.24 are vulnerable, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/cred-frontend-editor/vulnerability/wordpress-toolset-forms-plugin-2-6-24-insecure-direct-object-references-idor-vulnerability?_s_id=cve) and the OnTheGoSystems/Toolset changelog for a fixed release above 2.6.24 and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress deployments for Toolset Forms plugin version 2.6.24 or earlier; disable the CRED Frontend Editor if operationally feasible, or restrict network access via firewall rules. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39722
GHSA-xmxx-qpv3-jjw8