CVE-2026-42659

Vulnerability

The Advanced Form Integration plugin for WordPress versions up to and including 1.126.12 contains a broken access control vulnerability [1]. This issue involves missing authorization, authentication, or nonce token checks in certain functions, allowing unprivileged users (subscribers) to execute actions that should require higher privileges. The specific affected functionality has not been fully disclosed [1], but the vulnerability is present in all versions prior to 1.127.0.

Exploitation

An attacker needs only a subscriber-level account on a WordPress site running the vulnerable plugin [1]. No additional network position, write access, or user interaction is required beyond normal web access. The attacker can directly trigger the vulnerable function, which lacks proper access control checks [1]. The vulnerability is expected to be used in mass-exploit campaigns against thousands of websites [1].

Impact

Successful exploitation allows a subscriber to perform unauthorized actions that should be reserved for higher-privileged roles such as administrators [1]. The specific impact depends on the unprotected function but could include modifying plugin settings, accessing sensitive data, or other privileged operations. The CVSS score of 6.5 reflects medium severity [1].

Mitigation

The vulnerability is fixed in version 1.127.0, released after the disclosure [1]. Users should update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the patch is applied [1]. Auto-updates can be enabled for Patchstack users [1]. No workaround other than updating or using the mitigation rule has been disclosed [1].