CVE-2026-32446

The vulnerability resides in the WPForms Lite plugin for WordPress, version 1.9.9.3 and earlier. It is classified as a Missing Authorization (Broken Access Control) issue, meaning the plugin fails to properly enforce access control checks for certain functions or API endpoints. This allows an attacker to perform actions that should be restricted to authenticated users with specific privileges. [1]

Exploitation does not require an authenticated session with high privileges; an unprivileged attacker can leverage the missing authorization to bypass intended security restrictions. The attack surface is exposed through the WordPress admin interface and REST endpoints used by the plugin, making it remotely exploitable without special network access. [1]

An attacker who successfully exploits this vulnerability can perform unauthorized actions, such as viewing, modifying, or deleting form data or settings that should be protected. The CVSS v3 base score of 4.3 (Medium) reflects the limited but real risk of data exposure or manipulation. This type of vulnerability is known to be used in mass-exploit campaigns targeting thousands of WordPress sites. [1]

WPForms Lite version 1.9.9.4 patches the issue. Users are strongly advised to update immediately. If auto-update is enabled via a security plugin like Patchstack, the fix will be applied automatically. No workarounds have been published for sites that cannot update immediately. [1]