CVE-2026-24985

Vulnerability

Overview The WP Forms Signature Contract Add-On plugin for WordPress, versions <= 1.8.2, suffers from a missing authorization vulnerability. The root cause is a broken access control issue where a function responsible for dismissing notices lacks proper authorization or capability checks [1]. This allows any unauthenticated user to execute an action intended only for higher-privileged roles [1].

Attack

Vector An attacker can exploit this vulnerability by sending a crafted request to the plugin's notice dismissal endpoint. No authentication is required, and the attack can be performed remotely over HTTP [1]. The low complexity and no privilege requirement make it easy to perform at scale.

Impact

Successful exploitation allows an attacker to dismiss (hide) notices that are displayed by the plugin. While this does not lead to data theft or full site compromise, it can be used to suppress security warnings or other important notifications that site administrators rely on [1]. This manipulation of the user interface could contribute to reducing the visibility of security-relevant information.

Mitigation

The vulnerability has been fixed in version 1.8.3 of the plugin [1]. Users are strongly advised to update immediately. For those who cannot update, consulting with a hosting provider or web developer is recommended [1]. The plugin vendor has acknowledged the issue, and auto-update features can be utilized where available [1].