Skip to main content

Wp Forms Connector

2 CVEs product

Monthly

CVE-2026-9178 HIGH This Week

Information disclosure in the WP Forms Connector WordPress plugin (versions through 1.8) allows unauthenticated remote attackers to retrieve any user's password hash and email address via the wp/v3/user/list/<id> REST route. The endpoint's permission_callback is hard-coded to __return_true and the bespoke auth check verifies only that the Username header maps to an administrator (typically 'admin') without ever calling wp_check_password() to validate the supplied Password header. No public exploit identified at time of analysis, but the trivial nature of the bypass and the exposure of user_pass hashes make this a credible account-takeover vector.

WordPress Authentication Bypass Information Disclosure Wp Forms Connector
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-9179 HIGH This Week

SQL injection in the WP Forms Connector WordPress plugin (versions up to and including 1.8) allows unauthenticated remote attackers to extract sensitive database contents via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint. The endpoint is exposed with permission_callback '__return_true' and only validates a 'Username' header against an administrator account without verifying the corresponding 'Password', making the authentication check trivially bypassable. No public exploit identified at time of analysis, but the trivial bypass and unsanitized ORDER BY concatenation make weaponization straightforward.

WordPress SQLi Wp Forms Connector
NVD
CVSS 3.1
7.5
EPSS
0.4%
EPSS 0% CVSS 7.5
HIGH This Week

Information disclosure in the WP Forms Connector WordPress plugin (versions through 1.8) allows unauthenticated remote attackers to retrieve any user's password hash and email address via the wp/v3/user/list/<id> REST route. The endpoint's permission_callback is hard-coded to __return_true and the bespoke auth check verifies only that the Username header maps to an administrator (typically 'admin') without ever calling wp_check_password() to validate the supplied Password header. No public exploit identified at time of analysis, but the trivial nature of the bypass and the exposure of user_pass hashes make this a credible account-takeover vector.

WordPress Authentication Bypass Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in the WP Forms Connector WordPress plugin (versions up to and including 1.8) allows unauthenticated remote attackers to extract sensitive database contents via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint. The endpoint is exposed with permission_callback '__return_true' and only validates a 'Username' header against an administrator account without verifying the corresponding 'Password', making the authentication check trivially bypassable. No public exploit identified at time of analysis, but the trivial bypass and unsanitized ORDER BY concatenation make weaponization straightforward.

WordPress SQLi Wp Forms Connector
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy