Description
Cross-Site Request Forgery (CSRF) vulnerability in bgermann CformsII allows Cross Site Request Forgery.

This issue affects CformsII: from n/a through 15.1.3.
Published: 2026-05-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery vulnerability exists within the WordPress CformsII plugin that allows an attacker to force a logged‑in user to submit forms or perform other plugin‑related actions without the user’s consent. This flaw is coded as CWE‑352 and can be abused to alter or create content, manipulate form data, or otherwise trigger unintended processes within the site.

Affected Systems

The vulnerability affects the bgermann CformsII plugin for WordPress version 15.1.3 and older. Any installation of the plugin up to and including this version is susceptible. An upgrade to version 15.1.4 or newer removes the flaw.

Risk and Exploitability

The CVSS score of 7.1 indicates a high overall risk. Exploit probability data (EPSS) is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed exploitation to date. The likely attack vector is web‑based: an attacker can host a malicious page that, when visited by an authenticated user, submits a CSRF request to the site leveraging the vulnerable plugin. If successful, the attacker could execute unintended form actions as the user, potentially leading to unauthorized data changes or content injection.

Generated by OpenCVE AI on May 25, 2026 at 23:23 UTC.

Remediation

Vendor Solution

Update the WordPress CformsII Plugin to the latest available version (at least 15.1.4).

OpenCVE Recommended Actions

  • Update the WordPress CformsII Plugin to version 15.1.4 or later
  • If the plugin is not required, disable or remove it from the site
  • Implement site‑wide CSRF protection or configure the plugin to enforce nonce verification to prevent unauthorized form submissions

Generated by OpenCVE AI on May 25, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Bgermann
Bgermann cformsii
Wordpress
Wordpress wordpress
Vendors & Products Bgermann
Bgermann cformsii
Wordpress
Wordpress wordpress

Tue, 26 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in bgermann CformsII allows Cross Site Request Forgery. This issue affects CformsII: from n/a through 15.1.3.
Title WordPress CformsII plugin <= 15.1.3 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Bgermann Cformsii
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-26T10:51:09.056Z

Reserved: 2026-04-07T08:24:21.369Z

Link: CVE-2026-39436

cve-icon Vulnrichment

Updated: 2026-05-26T10:51:03.976Z

cve-icon NVD

Status : Received

Published: 2026-05-25T23:16:32.697

Modified: 2026-05-25T23:16:32.697

Link: CVE-2026-39436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T12:59:56Z

Weaknesses