CVE-2026-11794
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
The Advanced Form Integration plugin for WordPress before version 2.1.1 does not restrict the WordPress role assigned when creating a user from a public form submission. This allows unauthenticated visitors to create an administrator account if an active integration maps the user role to a public form field, requiring a specific non-default configuration.
Risk Assessment
The risk is the potential for unauthorized takeover of the WordPress site by an attacker creating an administrator account. This could lead to full site compromise, data theft, or further attacks.
Recommendation
Immediately update the Advanced Form Integration plugin to version 2.1.1 or later. Additionally, review integration configurations to ensure user roles are not mapped to public form fields.
Original NVD description (English source)
The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a user from a public form submission, allowing unauthenticated visitors to create an administrator account when an active integration maps the user role to a public form field. This requires a specific, non-default multi-Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 configuration.

