CVE Catalog

CVE-2026-11794

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

The Advanced Form Integration plugin for WordPress before version 2.1.1 does not restrict the WordPress role assigned when creating a user from a public form submission. This allows unauthenticated visitors to create an administrator account if an active integration maps the user role to a public form field, requiring a specific non-default configuration.

Risk Assessment

The risk is the potential for unauthorized takeover of the WordPress site by an attacker creating an administrator account. This could lead to full site compromise, data theft, or further attacks.

Recommendation

Immediately update the Advanced Form Integration plugin to version 2.1.1 or later. Additionally, review integration configurations to ensure user roles are not mapped to public form fields.

Original NVD description (English source)

The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a user from a public form submission, allowing unauthenticated visitors to create an administrator account when an active integration maps the user role to a public form field. This requires a specific, non-default multi-Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 configuration.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS