WP Forms Connector <= 1.8 - Missing Authorization to Unauthenticated Information Exposure via 'user/list' REST Endpoint
Description
The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/ (callback userDetail()) with permission_callback set to '__return_true', and the function's home-grown authentication only verifies that the supplied 'Username' HTTP header maps to an administrator account and that a 'Password' HTTP header is non-empty. It never validates the password with wp_check_password() (unlike the sibling delete_wc_user() function which does). This makes it possible for unauthenticated attackers to retrieve sensitive information for any registered user ID — including the WordPress password hash (user_pass) and email address — by sending a request with a valid administrator login name (commonly the default 'admin') and any arbitrary password value.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=1.8
Patches
Vulnerability mechanics
Root cause
"Missing password validation in the userDetail() REST callback allows unauthenticated information disclosure."
Attack vector
An unauthenticated attacker sends a GET request to `/wp-json/wp/v3/user/list/<id>` with a `Username` HTTP header set to a known administrator login (commonly the default 'admin') and any arbitrary non-empty `Password` HTTP header. The plugin's home-grown authentication only checks that the username exists as an administrator and that the password header is not empty, without verifying the password against the stored hash. This allows the attacker to retrieve the full user object for any registered user ID, including the WordPress password hash (`user_pass`) and email address.
Affected code
The `wpCommonAPI` class registers the REST route `wp/v3/user/list/(?P<id>[\d]+)` with `permission_callback` set to `'__return_true'`. The callback `userDetail()` reads `Username` and `Password` HTTP headers but only verifies that the username maps to an administrator account and that the password header is non-empty — it never calls `wp_check_password()` to validate the password. This contrasts with the sibling `delete_wc_user()` function which does perform proper password validation.
What the fix does
The advisory does not include a patch diff, but the remediation is clear: the `userDetail()` callback must call `wp_check_password($password, $user->data->user_pass, $user->ID)` to validate the supplied password against the stored hash, as the sibling `delete_wc_user()` function already does. Additionally, the `permission_callback` should be changed from `'__return_true'` to a proper capability check such as `'current_user_can'` to prevent unauthenticated access entirely.
Preconditions
- inputThe attacker must know or guess a valid administrator login name (commonly 'admin').
- inputThe attacker must supply any non-empty value in the Password HTTP header.
- configThe target site must have the WP Forms Connector plugin installed and active.
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- plugins.trac.wordpress.org/browser/wp-forms-connector/tags/1.8/WP-Forms-Connector.phpmitre
- plugins.trac.wordpress.org/browser/wp-forms-connector/tags/1.8/WP-Forms-Connector.phpmitre
- plugins.trac.wordpress.org/browser/wp-forms-connector/tags/1.8/WP-Forms-Connector.phpmitre
- plugins.trac.wordpress.org/browser/wp-forms-connector/tags/1.8/WP-Forms-Connector.phpmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/f5dfafee-9b6c-4e57-b263-39ff15cd3b51mitre
News mentions
0No linked articles in our index yet.