CVE-2026-39594

Vulnerability

The WordPress plugin Ultra Addons for WPForms versions up to and including 1.0.11 contain a broken access control vulnerability [1]. This means that functions that should require higher privileges lack proper authorization checks, allowing lower-privileged users such as subscribers to access them. The vulnerability is present in the plugin's code and does not require any special configuration to be reachable.

Exploitation

An attacker with a subscriber-level account on a WordPress site can exploit this vulnerability by sending crafted requests to the vulnerable endpoints [1]. No additional authentication or user interaction is needed beyond having a subscriber account. The vulnerability is expected to be used in mass-exploit campaigns targeting thousands of sites.

Impact

Successful exploitation allows a subscriber to perform actions intended for higher-privileged users, potentially leading to unauthorized data access, modification, or other administrative actions [1]. The exact impact depends on the specific broken access control, but it could result in information disclosure or privilege escalation.

Mitigation

The vulnerability is fixed in version 1.0.12 of the plugin [1]. Users should update immediately. If unable to update, consider using a web application firewall or security plugin that can block exploitation attempts. Patchstack has issued a mitigation rule. No workaround other than updating is mentioned.