cleantalk
Vulnerabilities and Security Researches

Smart Forms – when you need more than just a contact form, CVE-2026-2022

CVE, Research URL

CVE-2026-2022

Home page URL

Security reports for Smart Forms – when you need more than just a contact form

Application

Smart Forms – when you need more than just a contact form

Published on
Feb 14, 2026
Research Description
The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednao_smart_forms_get_campaigns' AJAX action in all versions up to, and including, 2.6.99. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve donation campaign data including campaign IDs and names.
Affected versions
max 2.6.99.
Status
vulnerable
Previous vulnerability researches
Import and export users and customers (CVE-2024-22151) , Jun 10, 2024
Import and export users and customers (CVE-2019-15327) , Jun 07, 2024
Import and export users and customers (CVE-2022-1255) , Jun 07, 2024
Import and export users and customers (CVE-2020-22277) , Jun 07, 2024
Import and export users and customers (CVE-2019-14683) , Jun 07, 2024
New vulnerability
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin (CVE-2026-4109) , Apr 15, 2026
User Submitted Posts – Enable Users to Submit Posts from the Front End (CVE-2026-2126) , Apr 15, 2026
User Submitted Posts – Enable Users to Submit Posts from the Front End (CVE-2026-0913) , Apr 15, 2026
Display During Conditional Shortcode (CVE-2025-6460) , Apr 15, 2026
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) (CVE-2026-1714) , Apr 15, 2026