cleantalk
Vulnerabilities and Security Researches

WP-Forms-Connector, CVE-2026-9178

CVE, Research URL

CVE-2026-9178

Home page URL

Security reports for WP-Forms-Connector

Application

WP-Forms-Connector

Published on
Jun 24, 2026
Research Description
The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/<id> (callback userDetail()) with permission_callback set to '__return_true', and the function's home-grown authentication only verifies that the supplied 'Username' HTTP header maps to an administrator account and that a 'Password' HTTP header is non-empty. It never validates the password with wp_check_password() (unlike the sibling delete_wc_user() function which does). This makes it possible for unauthenticated attackers to retrieve sensitive information for any registered user ID — including the WordPress password hash (user_pass) and email address — by sending a request with a valid administrator login name (commonly the default 'admin') and any arbitrary password value.
Affected versions
max 1.8.
Status
vulnerable
Previous vulnerability researches
FPW Category Thumbnails (CVE-2026-2382) , Jun 04, 2026
FPW Category Thumbnails (CVE-2025-31841) , Apr 05, 2025
New vulnerability
Infility Global (CVE-2026-7842) , Jun 25, 2026
Infility Global (CVE-2026-8163) , Jun 25, 2026
Motors – Car Dealer, Classifieds &amp; Listing (CVE-2026-54828) , Jun 25, 2026
130+ Widgets | Best Addons For Elementor &#8211; FREE (CVE-2026-11614) , Jun 25, 2026
MIR blocks and shortcodes (CVE-2026-8896) , Jun 25, 2026