CVE-2026-5229

May 15, 2026, 2:09 p.m.

9.8
Critical

Description

The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to authenticate after a LINE OAuth login. When LINE doesn't provide an email address (which is common), the plugin falls back to reading the 'form_notify_line_email' cookie value without verifying that the LINE account is associated with that email address. This makes it possible for unauthenticated attackers to gain access to any user account on the site, including administrator accounts, by completing a LINE OAuth flow with their own LINE account while injecting a malicious cookie containing the target victim's email address.

Product(s) Impacted

Vendor Product Versions
Wordpress
  • Form Notify
  • <1.1.11

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a wordpress form_notify <1.1.11 / / / / wordpress / /

References

https://github.com/oberonlai/form-notify/commit/5eab0ea
https://github.com/oberonlai/form-notify/commit/9780764
https://plugins.trac.wordpress.org/browser/form-notify/tags/1.1.08/src/APIs/Line/Login/Route.php#L116-L118
https://plugins.trac.wordpress.org/browser/form-notify/tags/1.1.08/src/APIs/Line/Login/User.php#L53
https://plugins.trac.wordpress.org/browser/form-notify/tags/1.1.08/src/APIs/Line/Login/User.php#L72
https://plugins.trac.wordpress.org/browser/form-notify/trunk/src/APIs/Line/Login/Route.php#L116-L118
https://plugins.trac.wordpress.org/browser/form-notify/trunk/src/APIs/Line/Login/User.php#L53
https://plugins.trac.wordpress.org/browser/form-notify/trunk/src/APIs/Line/Login/User.php#L72
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3517908%40form-notify&new=3517908%40form-notify&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/2f0a7d6f-9b95-4052-bab3-85aca01f6ab7?source=cve

Tags

[email protected]
CWE-287
2026-05-15
CVE-2026-5229

CVSS Score

9.8 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: May 15, 2026, 9:16 a.m.
Last Modified: May 15, 2026, 2:09 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.