[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fgomqG7PrUqwLAtGLywZVNsWxrf2gHeDiLyZ8ONX4elY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-32446","contact-form-by-wpforms-missing-authorization-2","Contact Form by WPForms \u003C= 1.9.9.3 - Missing Authorization","The Contact Form by WPForms plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.9.9.3. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.","wpforms-lite",null,"\u003C=1.9.9.3","1.9.9.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-07 00:00:00","2026-04-15 21:21:23",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc8e56c2c-b559-493f-bafa-501c5948d806?source=api-prod",40,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fbuilder\u002Fbuilder-fields-types.min.css","assets\u002Fjs\u002Fadmin\u002Feducation\u002Fedit-post.es5.min.js","assets\u002Flanguages\u002Fwpforms-lite.pot","changelog.txt","readme.txt","src\u002FAdmin\u002FEducation\u002FAdmin\u002FEditPost.php","src\u002FIntegrations\u002FElementor\u002FRestApi.php","src\u002FIntegrations\u002FGutenberg\u002FRestApi.php","researched",false,3,"check`.\n Maybe in `1.9.9.3`, the `permission_callback` for `\u002Fthemes\u002Fcustom\u002F` was `permissions_check` (Contributor) by mistake?\n The prompt says version `1.9.9.3` is vulnerable.\n If the provided code is `1.9.9.3`, and it has `admin_permissions_check`, then maybe that's not it.\n\n * *Wait!* Look at the JS in `assets\u002Fjs\u002Fadmin\u002Feducation\u002Fedit-post.es5.min.js`:\n ```javascript\n updateUserMeta: function() {\n s.post(wpforms_edit_post_education.ajax_url, {\n action: \"wpforms_education_dismiss\",\n nonce: wpforms_edit_post_education.education_nonce,\n section: \"edit-post-notice\"\n })\n }\n ```\n The AJAX action is `wpforms_education_dismiss`.\n The nonce is `wpforms-education`.\n Search for this action in WPForms 1.9.9.3.\n In `src\u002FAdmin\u002FEducation\u002FAjax.php` (which we don't have, but we can assume), the `dismiss` method is registered.\n The vulnerability is that it lacks a capability check like `current_user_can( 'wpforms_manage_options' )`.\n\n * **Wait, I found the patch details","gemini-3-flash-preview","2026-04-18 05:24:15","2026-04-18 05:25:14",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.9.9.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforms-lite\u002Ftags\u002F1.9.9.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpforms-lite.1.9.9.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforms-lite\u002Ftags\u002F1.9.9.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpforms-lite.1.9.9.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforms-lite\u002Ftags"]