Description
The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to authenticate after a LINE OAuth login. When LINE doesn't provide an email address (which is common), the plugin falls back to reading the 'form_notify_line_email' cookie value without verifying that the LINE account is associated with that email address. This makes it possible for unauthenticated attackers to gain access to any user account on the site, including administrator accounts, by completing a LINE OAuth flow with their own LINE account while injecting a malicious cookie containing the target victim's email address.
Published: 2026-05-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Form Notify WordPress plugin allows an unauthenticated attacker to bypass authentication by manipulating cookie data during a LINE OAuth login. When a LINE account does not provide an email address, the plugin reads the value from the form_notify_line_email cookie without verifying its association with the LINE account. By sending a malicious cookie containing the target victim’s email address and completing the LINE OAuth flow with their own LINE account, an attacker can authenticate as any user, including administrators, granting full site access.

Affected Systems

WordPress sites that have installed the Form Notify plugin in versions 1.1.10 or earlier are affected. Any site using the plugin before the release of a fixed version is at risk, regardless of the number of users or the configuration of LINE OAuth.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity. EPSS data is not available, but the lack of a KEV listing does not reduce the urgency; the vulnerability enables remote unauthorized access via a web-based OAuth flow. Attackers can target any publicly accessible WordPress site that accepts LINE OAuth login from the plugin, making the exploit plausible for large-scale attacks.

Generated by OpenCVE AI on May 15, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Form Notify plugin to the latest version that addresses this authentication bypass
  • If an update is not immediately possible, remove or disable the Form Notify plugin to eliminate the vulnerable code path
  • Disable LINE OAuth login or ensure that user-controlled cookie values are not trusted by the plugin until a patch is applied

Generated by OpenCVE AI on May 15, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared M615926
M615926 receive Notifications After Form Submitting – Form Notify For Any Forms
Wordpress
Wordpress wordpress
Vendors & Products M615926
M615926 receive Notifications After Form Submitting – Form Notify For Any Forms
Wordpress
Wordpress wordpress

Fri, 15 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to authenticate after a LINE OAuth login. When LINE doesn't provide an email address (which is common), the plugin falls back to reading the 'form_notify_line_email' cookie value without verifying that the LINE account is associated with that email address. This makes it possible for unauthenticated attackers to gain access to any user account on the site, including administrator accounts, by completing a LINE OAuth flow with their own LINE account while injecting a malicious cookie containing the target victim's email address.
Title Receive Notifications After Form Submitting – Form Notify for Any Forms <= 1.1.10 - Unauthenticated Authentication Bypass via LINE OAuth Callback
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

M615926 Receive Notifications After Form Submitting – Form Notify For Any Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-15T13:27:33.984Z

Reserved: 2026-03-31T13:24:44.823Z

Link: CVE-2026-5229

cve-icon Vulnrichment

Updated: 2026-05-15T13:27:28.446Z

cve-icon NVD

Status : Deferred

Published: 2026-05-15T09:16:16.690

Modified: 2026-05-15T14:09:15.910

Link: CVE-2026-5229

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:20:51Z

Weaknesses