CVE-2026-1729 - Vulnerability Details

- AdForest <= 6.0.12 - Authentication Bypass

Description

The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.0.12. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the 'sb_login_user_with_otp_fun' function. This makes it possible for unauthenticated attackers to log in as arbitrary users, including administrators.

Published: 2026-02-12

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the AdForest WordPress theme allows unauthenticated users to invoke the sb_login_user_with_otp_fun function without identity verification. As a result, an attacker can authenticate as any user, including administrators, thereby gaining the privileges of the target account. The vulnerability is a classic authentication bypass, classified as CWE-306, and directly compromises the integrity of user access controls.

Affected Systems

This issue affects all installations of the scriptsbundle AdForest WordPress theme numbered 6.0.12 or earlier. The flaw is present regardless of the underlying WordPress version, so any site using the affected theme needs to be considered at risk until the theme is replaced with a corrected release.

Risk and Exploitability

The CVSS score of 9.8 marks this flaw as critical, meaning that a successful bypass can lead to full system compromise. The EPSS score of less than 1% suggests that exploitation is currently uncommon, and the vulnerability is not listed in CISA’s KEV catalog. While the description does not specify the exact method an attacker would use, it is reasonable to infer that the vulnerability can be exercised remotely by crafting a request to the sb_login_user_with_otp_fun endpoint, which is part of the web login process and does not require any client-side software or privileged access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

scriptsbundle

AdForest

unaffected

Version	Status	Constraints
`0`	affected	≤ 6.0.12

No data.

Vendor Product Confidence Versions

Scriptsbundle

Adforest

—

Version	Status	Scheme	Platform
`[0,6.0.12]`	affected	semver	—

Wordpress

—

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the AdForest WordPress theme to a version newer than 6.0.12 to remove the flawed authentication logic.
If an immediate upgrade is not possible, block or restrict unauthenticated access to the sb_login_user_with_otp_fun endpoint using your web server or a WordPress security plugin to prevent the bypass from being triggered.
Implement two‑factor authentication for all administrator accounts to reduce the impact of a potential bypass before the patch is applied.

Generated by OpenCVE AI on April 16, 2026 at 00:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00122.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://themeforest.net/item/adforest-classified-wordpress-theme/19481695
https://www.wordfence.com/threat-intel/vulnerabilities/id/34fd42cb-3868-4b1c-bc56-575faf01e8f3?source=cve

History

Thu, 12 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 12 Feb 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Scriptsbundle Scriptsbundle adforest Wordpress Wordpress wordpress
Vendors & Products		Scriptsbundle Scriptsbundle adforest Wordpress Wordpress wordpress

Thu, 12 Feb 2026 01:45:00 +0000

Type	Values Removed	Values Added
Description		The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.0.12. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the 'sb_login_user_with_otp_fun' function. This makes it possible for unauthenticated attackers to log in as arbitrary users, including administrators.
Title		AdForest <= 6.0.12 - Authentication Bypass
Weaknesses		CWE-306
References		https://themeforest.net/item/adforest-classified-wordpress-theme/19481695 https://www.wordfence.com/threat-intel/vulnerabilities/id/34fd42cb-3868-4b1c-bc56-575faf01e8f3?source=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Scriptsbundle Adforest

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-12T01:23:42.939Z

Updated: 2026-04-08T16:45:51.879Z

Reserved: 2026-01-31T18:37:54.180Z

Link: CVE-2026-1729

Vulnrichment

Updated: 2026-02-12T15:36:03.924Z

NVD

Status : Deferred

Published: 2026-02-12T02:15:48.993

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1729

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T01:00:19Z

Weaknesses

CWE-306

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object