Description
The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a user from a public form submission, allowing unauthenticated visitors to create an administrator account when an active integration maps the user role to a public form field. This requires a specific, non-default multi-Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 configuration.
Published: 2026-07-01
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before version 2.1.1 contains a flaw that allows an unauthenticated visitor to create a new WordPress user account with administrative privileges. The plugin does not enforce role restrictions when generating users from public form submissions, and if a role mapping is configured to a public form field it can be tricked into assigning the administrator role. This results in full control of the site without the need for initial authentication.

Affected Systems

This vulnerability affects any WordPress installation running the Advanced Form Integration — Connect Forms to 200+ Apps plugin at a version earlier than 2.1.1. The affected product is the WordPress plugin component of the vendor Advanced Form Integration, and the issue is tied to configurations that map a role to a public form field.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability. Exploitation requires an attacker to submit a crafted form payload to an enabled integration that maps a role field to a public form field, a scenario that is relatively straightforward once the correct configuration is identified. The exploit is unauthenticated, enabling privilege escalation that compromises site confidentiality, integrity, and availability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, so the exploitation probability is unknown but considered significant because of the simplicity of the attack path.

Generated by OpenCVE AI on July 1, 2026 at 15:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Advanced Form Integration — Connect Forms to 200+ Apps plugin to version 2.1.1 or later.
  • If upgrading is not immediately viable, disable role mapping for any public form fields or limit role assignment to authenticated users only.
  • Verify all active integrations to ensure that no public form field is mapped to an administrator role; remove or correct such mappings, and review the user database for any newly created high‑privilege accounts.

Generated by OpenCVE AI on July 1, 2026 at 15:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-285

Wed, 01 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-285

Wed, 01 Jul 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a user from a public form submission, allowing unauthenticated visitors to create an administrator account when an active integration maps the user role to a public form field. This requires a specific, non-default multi-Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 configuration.
Title Advanced Form Integration < 2.1.1 - Unauthenticated Privilege Escalation via Breakdance Form Role Mapping
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-07-01T10:14:46.721Z

Reserved: 2026-06-09T13:05:09.059Z

Link: CVE-2026-11794

cve-icon Vulnrichment

Updated: 2026-07-01T10:14:43.145Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T15:15:04Z

Weaknesses

No weakness.