What the vulnerability does
01Description
The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to authenticate after a LINE OAuth login. When LINE doesn't provide an email address (which is common), the plugin falls back to reading the 'form_notify_line_email' cookie value without verifying that the LINE account is associated with that email address. This makes it possible for unauthenticated attackers to gain access to any user account on the site, including administrator accounts, by completing a LINE OAuth flow with their own LINE account while injecting a malicious cookie containing the target victim's email address.
Explanation of Vulnerability in Simple Terms
02Summary
Form Notify for Any Forms versions 1.1.10 and earlier do not properly authenticate requests, allowing unauthenticated attackers to access the plugin's functionality over the network without any user interaction. An attacker can read sensitive form submission data, modify form settings, or disrupt form operations. All installations of this plugin require immediate update.
What an attacker can do
03Attacker Capabilities
Read form submissions, modify form settings, or disrupt form functionality without logging in.
Potential impact on your site
04Site Impact
Attackers can access all form data and settings without a password, potentially exposing user information and breaking forms.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 15, 2026
CVE published
May 15, 2026
Record updated