Description
Missing Authorization vulnerability in Campaign Monitor Campaign Monitor for WordPress forms-for-campaign-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Campaign Monitor for WordPress: from n/a through <= 2.9.1.
Published: 2026-01-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Access Control Bypass
Action: Patch
AI Analysis

Impact

The Campaign Monitor for WordPress forms-for-campaign-monitor plugin contains a missing authorization vulnerability that allows attackers to exploit incorrectly configured access‑control security levels and bypass access controls, potentially accessing or altering restricted form data. This flaw is classified under CWE‑862, indicating that proper access‑control checks are not enforced.

Affected Systems

Affected systems include any instance of the Campaign Monitor for WordPress plugin on WordPress sites running version 2.9.1 or earlier. The vulnerability applies to all installations up to and including 2.9.1, with the plugin’s full set of features available to unauthorized users.

Risk and Exploitability

The CVSS score associated with this issue is 4.3, indicating a moderate severity level. Exploit probability measured by EPSS is below 1%, implying a low likelihood of active exploitation in the wild. The vulnerability is not documented in the CISA KEV catalog. Attackers would most likely exploit this flaw remotely by accessing the plugin’s front‑end or administrative endpoints; however, the description does not detail the exact attack vector, so this assessment is inferred from typical plugin vulnerabilities.

Generated by OpenCVE AI on April 28, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Campaign Monitor for WordPress plugin to a version newer than 2.9.1, ensuring that all access control mechanisms are correctly implemented.
  • If upgrading immediately is not feasible, configure WordPress user roles so that only administrators and explicitly authorized users can access the plugin’s settings and forms pages, thereby mitigating unauthorized use.
  • As a temporary measure, disable or remove the plugin from sites that cannot be promptly updated, to eliminate the exposed access control flaw.

Generated by OpenCVE AI on April 28, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Campaign Monitor Campaign Monitor for WordPress forms-for-campaign-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Campaign Monitor for WordPress: from n/a through <= 2.9.0. Missing Authorization vulnerability in Campaign Monitor Campaign Monitor for WordPress forms-for-campaign-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Campaign Monitor for WordPress: from n/a through <= 2.9.1.
Title WordPress Campaign Monitor for WordPress plugin <= 2.9.0 - Broken Access Control vulnerability WordPress Campaign Monitor for WordPress plugin <= 2.9.1 - Broken Access Control vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 12 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Campaign Monitor
Campaign Monitor for Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Campaign Monitor
Campaign Monitor for Wordpress
Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Campaign Monitor Campaign Monitor for WordPress forms-for-campaign-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Campaign Monitor for WordPress: from n/a through <= 2.9.0.
Title WordPress Campaign Monitor for WordPress plugin <= 2.9.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Campaign Monitor For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T17:24:08.401Z

Reserved: 2026-01-07T17:39:20.896Z

Link: CVE-2026-0674

cve-icon Vulnrichment

Updated: 2026-01-12T18:32:21.924Z

cve-icon NVD

Status : Deferred

Published: 2026-01-08T10:15:54.910

Modified: 2026-04-23T15:36:26.790

Link: CVE-2026-0674

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T22:45:25Z

Weaknesses