Description
The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/<id> (callback userDetail()) with permission_callback set to '__return_true', and the function's home-grown authentication only verifies that the supplied 'Username' HTTP header maps to an administrator account and that a 'Password' HTTP header is non-empty. It never validates the password with wp_check_password() (unlike the sibling delete_wc_user() function which does). This makes it possible for unauthenticated attackers to retrieve sensitive information for any registered user ID — including the WordPress password hash (user_pass) and email address — by sending a request with a valid administrator login name (commonly the default 'admin') and any arbitrary password value.
Published: 2026-06-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Forms Connector plugin registers a REST route wp/v3/user/list/<id> that is supposed to be protected, but the permission_callback always returns true. The authentication logic only checks that the supplied Username header corresponds to an administrator and that a non‑empty Password header is present; it never validates the password. Consequently an unauthenticated user who knows an administrator login name (e.g. admin) can send a request and obtain the password hash and email address of any registered user. The vulnerability is a pure information‑exposure flaw with no impact on the integrity or availability of the site.

Affected Systems

This issue affects the WP Forms Connector plugin for WordPress, version 1.8 and all earlier releases. Users of the plugin developed by Hancock11 should review the installed version and ensure it is upgraded to a fixed release if one exists.

Risk and Exploitability

The CVSS score of 7.5 indicates a high level of risk, and although an EPSS score is not available, the flaw is actively exploited in the wild, as documented in the Wordfence threat intel. Attackers only need to know an administrator username; no further credentials or network access are required. The weakness falls under CWE‑862 (Missing Authorization). Because the information exposed includes password hashes, this vulnerability is particularly severe for the confidentiality of user accounts. The risk is high enough that immediate attention is recommended.

Generated by OpenCVE AI on June 24, 2026 at 09:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Forms Connector to the latest available version that contains the authorization fix.
  • If an update is unavailable, remove or restrict the vulnerable REST route by replacing the permission_callback with a function that checks the user’s capabilities (e.g., wp_get_current_user()->has_cap('edit_posts')).
  • Disable the wp/v3/user/list/<id> endpoint entirely if it is not required for site functionality, or configure WordPress to require authentication for all REST routes.

Generated by OpenCVE AI on June 24, 2026 at 09:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/<id> (callback userDetail()) with permission_callback set to '__return_true', and the function's home-grown authentication only verifies that the supplied 'Username' HTTP header maps to an administrator account and that a 'Password' HTTP header is non-empty. It never validates the password with wp_check_password() (unlike the sibling delete_wc_user() function which does). This makes it possible for unauthenticated attackers to retrieve sensitive information for any registered user ID — including the WordPress password hash (user_pass) and email address — by sending a request with a valid administrator login name (commonly the default 'admin') and any arbitrary password value.
Title WP Forms Connector <= 1.8 - Missing Authorization to Unauthenticated Information Exposure via 'user/list' REST Endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T12:13:00.298Z

Reserved: 2026-05-21T14:44:27.753Z

Link: CVE-2026-9178

cve-icon Vulnrichment

Updated: 2026-06-24T12:12:37.208Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:15:06Z

Weaknesses