CVE-2026-42377

Vulnerability

Overview

CVE-2026-42377 is a missing authorization vulnerability in the WordPress plugin SureForms Pro, affecting versions from n/a through 2.8.0. The plugin fails to properly enforce access control checks, allowing attackers to exploit incorrectly configured access control security levels [1]. This type of broken access control vulnerability can be triggered without proper authentication or authorization validation.

Exploitation

Details

The vulnerability stems from missing authorization checks in one or more functions, enabling an unprivileged user—potentially an unauthenticated attacker—to execute actions that should require higher privileges. The attack surface is broad, as the plugin is widely used, and the vulnerability can be exploited remotely without any special network access [1].

Impact

If exploited, an attacker could gain unauthorized access to sensitive functionality, such as modifying forms, accessing submission data, or performing other administrative actions. The Patchstack advisory highlights that this vulnerability is highly dangerous and expected to become part of mass-exploit campaigns, targeting thousands of websites regardless of size or popularity [1].

Mitigation

The vendor has released version 2.8.1, which resolves the issue. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule to block attacks until the patch is applied [1].