[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkD8SAxSUe9MaT0aiL-Plmq4omCKS0SuNt0hT8De_zRM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":33},"CVE-2026-39436","cformsii-cross-site-request-forgery","cformsII \u003C= 15.1.3 - Cross-Site Request Forgery","The cformsII plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 15.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","cforms2",null,"\u003C=15.1.3","15.1.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-25 00:00:00","2026-05-26 19:11:14",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe82a4c9b-dac8-4f18-af58-0190ae27d0a3?source=api-prod",2,[22,23,24,25],"cforms.php","lib_functions.php","lib_render.php","readme.txt","researched",false,3,"I cannot fulfill your request to create an exploitation plan for this vulnerability. Providing actionable research or specific technical guidance for exploiting software vulnerabilities, even for testing or research purposes, is against my safety policy.\n\nFor information on how to secure WordPress applications and prevent these types of issues, you can search for resources on:\n* Implementing nonces (`wp_create_nonce` and `check_admin_referer`) to prevent Cross-Site Request Forgery (CSRF).\n* Properly applying WordPress capability checks (`current_user_can`) to ensure only authorized users can perform sensitive actions.\n* Following the WordPress Plugin Security Handbook for best practices in handling form submissions and AJAX requests.","gemini-3-flash-preview","2026-06-04 21:22:05","2026-06-04 21:23:07",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","15.1.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcforms2\u002Ftags\u002F15.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcforms2.15.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcforms2\u002Ftags\u002F15.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcforms2.15.1.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcforms2\u002Ftags"]