cleantalk
Vulnerabilities and Security Researches

Smart Forms – when you need more than just a contact form, CVE-2026-2022

CVE, Research URL

CVE-2026-2022

Home page URL

Security reports for Smart Forms – when you need more than just a contact form

Application

Smart Forms – when you need more than just a contact form

Published on
Feb 14, 2026
Research Description
The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednao_smart_forms_get_campaigns' AJAX action in all versions up to, and including, 2.6.99. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve donation campaign data including campaign IDs and names.
Affected versions
max 2.6.99.
Status
vulnerable
Previous vulnerability researches
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) (CVE-2025-24750) , Jan 26, 2025
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) (CVE-2026-1993) , Apr 14, 2026
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) (CVE-2026-1992) , Apr 14, 2026
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) (CVE-2023-23880) , Jun 06, 2024
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) (CVE-2023-0082) , Jun 06, 2024
New vulnerability
PDF Invoices & Packing Slips for WooCommerce (CVE-2026-1906) , Apr 15, 2026
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin (CVE-2026-4109) , Apr 15, 2026
User Submitted Posts – Enable Users to Submit Posts from the Front End (CVE-2026-2126) , Apr 15, 2026
User Submitted Posts – Enable Users to Submit Posts from the Front End (CVE-2026-0913) , Apr 15, 2026
Display During Conditional Shortcode (CVE-2025-6460) , Apr 15, 2026