CVE-2026-7050
Forms Rb <= 1.1.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via 'form_id' Parameter
The Forms Rb plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to read form submission records, modify form configuration options, and delete records belonging to any form they do not own.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Productos afectados
rbplugins · Forms Rb¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://plugins.trac.wordpress.org/browser/forms-rb/tags/1.1.9/app/api.php#L128https://plugins.trac.wordpress.org/browser/forms-rb/tags/1.1.9/app/api.php#L190https://plugins.trac.wordpress.org/browser/forms-rb/tags/1.1.9/app/api.php#L316https://plugins.trac.wordpress.org/browser/forms-rb/tags/1.1.9/app/api.php#L41https://plugins.trac.wordpress.org/browser/forms-rb/tags/1.1.9/app/api.php#L444https://plugins.trac.wordpress.org/browser/forms-rb/tags/1.1.9/app/api.php#L623https://plugins.trac.wordpress.org/browser/forms-rb/trunk/app/api.php#L128https://plugins.trac.wordpress.org/browser/forms-rb/trunk/app/api.php#L190https://plugins.trac.wordpress.org/browser/forms-rb/trunk/app/api.php#L316https://plugins.trac.wordpress.org/browser/forms-rb/trunk/app/api.php#L41https://plugins.trac.wordpress.org/browser/forms-rb/trunk/app/api.php#L444https://plugins.trac.wordpress.org/browser/forms-rb/trunk/app/api.php#L623