cleantalk
Vulnerabilities and Security Researches

Tectite Forms, CVE-2026-9599

CVE, Research URL

CVE-2026-9599

Home page URL

Security reports for Tectite Forms

Application

Tectite Forms

Published on
Jun 02, 2026
Research Description
The Tectite Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the admin_init function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including the tectite_forms_button option, via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 1.3.
Status
vulnerable
Previous vulnerability researches
WooCommerce Loyal Customers (CVE-2025-32544) , Apr 15, 2025
New vulnerability
DeMomentSomTres Shortcodes (CVE-2026-8885) , Jun 04, 2026
Content Visibility for Divi Builder (CVE-2026-1829) , Jun 04, 2026
Paid Videochat Turnkey Site – HTML5 PPV Live Webcams (CVE-2026-27333) , Jun 04, 2026
Elementor Website Builder – More than Just a Page Builder (CVE-2026-49782) , Jun 04, 2026
Tectite Forms (CVE-2026-9599) , Jun 04, 2026