CVE-2026-39436

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the bgermann CformsII plugin for WordPress, affecting versions from n/a through 15.1.3. The plugin fails to properly validate or verify requests made by authenticated users, allowing an attacker to craft a malicious request that, when executed by an authenticated administrator, performs unintended actions within the plugin's context.

Exploitation

An attacker must trick a privileged user (e.g., an administrator) into clicking a malicious link or visiting a crafted page while the user is logged into WordPress. No authentication is required for the attacker; the forged request is executed under the victim's session. The attack requires user interaction, as the victim must perform an action such as clicking a link or submitting a form.

Impact

Successful exploitation allows the attacker to force the victim to perform actions like modifying plugin settings, creating or deleting users, or altering site configurations. This can lead to privilege escalation, data manipulation, or complete site compromise, depending on the permissions of the victim.

Mitigation

The vulnerability is fixed in version 15.1.4 of the CformsII plugin. Users should update to this version or later immediately. Patchstack users can enable auto-update for vulnerable plugins. No workaround is documented; updating is the recommended action [1].