Description
Missing Authorization vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form Builder: from n/a through <= 3.9.6.
Published: 2026-01-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Immediate Patch
AI Analysis

Impact

The Easy Form Builder plugin for WordPress contains a missing authorization check that allows an attacker to bypass access controls and perform operations such as creating, reading, or deleting form data. This flaw is classified as CWE-862 and can lead to unauthorized disclosure or modification of user input and related content.

Affected Systems

The vulnerability applies to hassantafreshi Easy Form Builder version 3.9.6 and earlier. All users running this plugin on a WordPress site are potentially affected, as the issue spans all releases from the outset of the plugin up to and including 3.9.6.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, indicating high severity, while the EPSS score is below 1%, suggesting a low chance of active exploitation at this time. The vulnerability is not listed in CISA's KEV catalog. The description indicates a missing authorization check, which could allow an attacker with access to the site to potentially perform operations such as creating, reading, or deleting form data without proper role verification. However, the specific attack path or required context is not detailed in the available CVE information.

Generated by OpenCVE AI on April 18, 2026 at 03:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Easy Form Builder to the latest available release.
  • Restrict WordPress administrator and plugin configuration access to trusted users only.
  • Audit existing form configurations and remove any form visibility options that grant broader access than needed.

Generated by OpenCVE AI on April 18, 2026 at 03:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form Builder: from n/a through <= 3.9.6.
Title WordPress Easy Form Builder plugin <= 3.9.6 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:58.499Z

Reserved: 2026-01-07T13:44:06.688Z

Link: CVE-2026-22472

cve-icon Vulnrichment

Updated: 2026-01-23T16:51:34.860Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:35.880

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22472

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:45:21Z

Weaknesses