Description
Unauthenticated Insecure Direct Object References (IDOR) in Toolset Forms <= 2.6.24 versions.
Published: 2026-06-26
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an insecure direct object reference in the WordPress Toolset Forms plugin. It allows an unauth manipulate form data by providing arbitrary object identifiers. The weakness falls under CWE‑639, meaning the application fails to enforce correct access controls on objects. If exploited, the attacker could read sensitive form submissions or alter stored data, potentially compromising confidentiality and integrity.

Affected Systems

The issue affects installations of the Site Building with Toolset plugin suite, specifically the Toolset Forms component. Versions up to and including 2.6.24 are vulnerable. WordPress sites that have not upgraded the Toolset Forms plugin beyond 2.6.24 remain at risk.

Risk and Exploitability

The CVSS score is 7.5, indicating a high probability of significant impact. EPSS information is not available, so the exploitation likelihood is uncertain, but IDOR vulnerabilities are commonly targeted. The vulnerability is not listed in CISA’s KEV catalog. An attacker can trigger the IDOR by sending crafted HTTP requests authentication, leveraging the lack of proper access checks. The absence of an authentication requirement means that any remote host can attempt such requests, making the attack surface large. Given these factors, the overall risk is substantial for unpatched sites.

Generated by OpenCVE AI on June 26, 2026 at 17:08 UTC.

Remediation

Vendor Solution

Update the WordPress Toolset Forms Plugin to the latest available version (at least 2.6.25).

OpenCVE Recommended Actions

  • Update the WordPress Toolset Forms plugin to version 2.6.25 or later.
  • Audit any custom code or URL patterns that reference form objects and adjust them to follow the new access controls.
  • If an immediate update cannot be performed, apply web application firewall rules to block direct object URL patterns used by the vulnerable plugin.

Generated by OpenCVE AI on June 26, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Insecure Direct Object References (IDOR) in Toolset Forms <= 2.6.24 versions.
Title WordPress Toolset Forms plugin <= 2.6.24 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T20:17:24.275Z

Reserved: 2026-06-18T14:38:18.949Z

Link: CVE-2026-56069

cve-icon Vulnrichment

Updated: 2026-06-26T20:17:18.991Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:15:04Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key