Description
The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednao_smart_forms_get_campaigns' AJAX action in all versions up to, and including, 2.6.99. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve donation campaign data including campaign IDs and names.
Published: 2026-02-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Retrieval of Campaign Data
Action: Update Plugin
AI Analysis

Impact

The Smart Forms plugin for WordPress suffers from a missing capability check on the 'rednao_smart_forms_get_campaigns' AJAX action. As a result, authenticated users with Subscriber-level access and higher can invoke this endpoint and retrieve donation campaign data, including campaign IDs and names. This leads to sensitive campaign information exposure but does not grant further privileges or system compromise.

Affected Systems

The vulnerability affects the Smart Forms plugin produced by edgarrojas, version 2.6.99 and earlier. In a WordPress environment, any installation of this plugin, regardless of theme or other plugins, is susceptible. Users of version 2.6.99 or any older build are exposed.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium risk, mainly due to the lack of authorization checks. The EPSS score is below 1%, implying that exploitation is unlikely or not widely observed; the vulnerability is not present in the CISA KEV catalog. Attackers need only a valid Subscriber account, which is a common role in many WordPress installations. Because the attack originates from within an authenticated session, the likelihood of a successful exploit depends on the presence of vulnerable users and access to the backend. Nonetheless, administrators should consider this a low‑to‑moderate risk that warrants an update.

Generated by OpenCVE AI on April 15, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Smart Forms to a version newer than 2.6.99, where the capability check has been added.
  • If an immediate upgrade is not possible, reduce the Subscriber role’s permissions or disable the 'rednao_smart_forms_get_campaigns' AJAX endpoint to prevent access for non‑admin users.
  • Temporarily disable the 'rednao_smart_forms_get_campaigns' AJAX action by customizing the plugin or using a custom code snippet that intercepts the action and returns wp_die() for non‑admin callers.

Generated by OpenCVE AI on April 15, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Edgarrojas
Edgarrojas smart Forms – When You Need More Than Just A Contact Form
Wordpress
Wordpress wordpress
Vendors & Products Edgarrojas
Edgarrojas smart Forms – When You Need More Than Just A Contact Form
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednao_smart_forms_get_campaigns' AJAX action in all versions up to, and including, 2.6.99. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve donation campaign data including campaign IDs and names.
Title Smart Forms <= 2.6.99 - Missing Authorization to Authenticated (Subscriber+) Campaign Data Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Edgarrojas Smart Forms – When You Need More Than Just A Contact Form
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:27.378Z

Reserved: 2026-02-05T20:32:26.267Z

Link: CVE-2026-2022

cve-icon Vulnrichment

Updated: 2026-02-17T15:36:47.783Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T07:16:12.847

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2022

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:45:06Z

Weaknesses