What the vulnerability does
01Description
The Forms Rb plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to read form submission records, modify form configuration options, and delete records belonging to any form they do not own.
Explanation of Vulnerability in Simple Terms
02Summary
Forms Rb versions 1.1.9 and earlier lack proper authorization checks, allowing authenticated users to modify form data they should not have access to. An attacker with a low-privilege account can alter form submissions or settings belonging to other users or forms. The vulnerability requires valid site credentials but no additional user interaction.
What an attacker can do
03Attacker Capabilities
Modify form data or settings belonging to other users or forms.
Potential impact on your site
04Site Impact
Form data integrity is at risk; users' submissions or form configurations may be altered by other authenticated users.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege authenticated account on the site.
Key dates
06Disclosure timeline
May 12, 2026
CVE published
May 12, 2026
Record updated