[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1wrF4VxS9QDauzGRlz_cZRC2awKQkd7WWw5Iaz6DtgQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-5229","receive-notifications-after-form-submitting-form-notify-for-any-forms-unauthenticated-authentication-bypass-via-line-oau","Receive Notifications After Form Submitting – Form Notify for Any Forms \u003C= 1.1.10 - Unauthenticated Authentication Bypass via LINE OAuth Callback","The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to authenticate after a LINE OAuth login. When LINE doesn't provide an email address (which is common), the plugin falls back to reading the 'form_notify_line_email' cookie value without verifying that the LINE account is associated with that email address. This makes it possible for unauthenticated attackers to gain access to any user account on the site, including administrator accounts, by completing a LINE OAuth flow with their own LINE account while injecting a malicious cookie containing the target victim's email address.","form-notify",null,"\u003C=1.1.10","1.1.11","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Authentication","2026-05-14 18:59:36","2026-05-15 07:46:37",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2f0a7d6f-9b95-4052-bab3-85aca01f6ab7?source=api-prod",1,[22,23,24,25,26,27,28,29],"Readme.txt","form-notify.php","src\u002FAPIs\u002FHistoryTable.php","src\u002FAPIs\u002FLine\u002FLogin\u002FButton.php","src\u002FAPIs\u002FLine\u002FLogin\u002FRoute.php","src\u002FAPIs\u002FLine\u002FLogin\u002FSdk.php","src\u002FAPIs\u002FLine\u002FLogin\u002FUser.php","src\u002FAPIs\u002FLine\u002FMessage.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-5229 (Form Notify Authentication Bypass)\n\n## 1. Vulnerability Summary\nThe **Receive Notifications After Form Submitting – Form Notify for Any Forms** plugin (version \u003C= 1.1.10) is vulnerable to an unauthenticated authentication bypass. The vulnerability resides in the LINE OAuth callback logic. Specifically, when a user authenticates via LINE but does not provide an email address (e.g., they denied the email scope), the plugin trusts user-controlled data (the `form_notify_line_email` cookie) to determine which WordPress account to log into.\n\nAn attacker can use their own LINE account to satisfy the OAuth signature verification and then provide a target administrator's email in the cookie to gain full administrative access.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Fform-notify\u002Fv1\u002Fcallback` (REST API)\n- **Method:** `GET`\n- **Preconditions:** \n    1. The plugin must have LINE Login configured (`form_notify_line_login_channel_id` and `secret` set).\n    2. An attacker must have a valid LINE account.\n    3. The attacker must know the email address of a target administrator.\n- **Vulnerable Parameters:** `form_notify_line_email` (Cookie).\n- **Authentication:** Unauthenticated. The `permission_callback` for the REST route is `__return_true`.\n\n## 3. Code Flow\n1. **Entry Point:** The attacker initiates the flow by calling `GET \u002Fwp-json\u002Fform-notify\u002Fv1\u002Flogin`.\n2. **State Generation:** `Route::get_api_login()` (in `src\u002FAPIs\u002FLine\u002FLogin\u002FRoute.php`) generates a `state` using `md5(time())`, stores it in a transient `form_notify_line_state_{state}`, and redirects the user to LINE.\n3. **OAuth Verification:** After the attacker authenticates with their LINE account, LINE redirects back to `\u002Fwp-json\u002Fform-notify\u002Fv1\u002Fcallback?code={CODE}&state={STATE}`.\n4. **Callback Handling:** `Route::get_api_callback()` (in `src\u002FAPIs\u002FLine\u002FLogin\u002FRoute.php`):\n    - Validates that the provided `state` matches the transient\u002Fsession.\n    - Calls `SDK::get_access_token($code)` to exchange the code for a token from LINE.\n    - Calls `SDK::get_line_profile(...)` which calls `https:\u002F\u002Fapi.line.me\u002Foauth2\u002Fv2.1\u002Fverify` to validate the ID Token.\n5. **Vulnerable Sink:**\n    - If LINE does not provide an email (`$user->email` is empty), the code (in the vulnerable version as described) falls back to reading `$_COOKIE['form_notify_line_email']` (Inferred based on description; provided snippet in `Route.php` line 126 shows a hardcoded fallback `$user_raw_id . '@line.com'`, suggesting the cookie usage was the original implementation or exists in a specific configuration path).\n    - The determined `$user_email` is passed to `User::is_member($user_email, ...)` and then `User::login(...)` in `src\u002FAPIs\u002FLine\u002FLogin\u002FUser.php`.\n6. **Authentication Bypass:** `User::login()` calls `wp_set_auth_cookie($this->user->ID)` for the user found via the malicious email, effectively logging the attacker in as the victim.\n\n## 4. Nonce Acquisition Strategy\nThe vulnerable REST routes (`form-notify\u002Fv1\u002Flogin` and `form-notify\u002Fv1\u002Fcallback`) **do not require a WordPress nonce**.\n\nThe `register_api_route` function in `src\u002FAPIs\u002FLine\u002FLogin\u002FRoute.php` defines the `permission_callback` as `true` for both endpoints. These are public OAuth endpoints meant for external redirects.\n\nIf a nonce were needed for any reason, the plugin localizes `lineLoginButtonParams` in `form-notify.php`:\n- **JS Variable:** `window.lineLoginButtonParams`\n- **Extraction:** `browser_eval(\"window.lineLoginButtonParams.some_key\")` (though no nonce is registered in the provided `wp_localize_script` call).\n\n## 5. Exploitation Strategy\n\n### Step 1: Initialize Session and State\nCall the login endpoint to populate the transient on the server.\n- **Request:** `GET \u002Fwp-json\u002Fform-notify\u002Fv1\u002Flogin`\n- **Tool:** `http_request`\n- **Objective:** Follow the redirect to capture the `state` parameter generated by the plugin.\n\n### Step 2: Prepare Mock LINE Responses (Local Test Environment)\nBecause the PoC environment cannot connect to real LINE APIs, the agent must intercept the `wp_remote_request` calls made by `SDK.php` to `api.line.me`.\n- **Mock Token Response:** Return a valid-looking `access_token` and `id_token`.\n- **Mock Verify Response:** Return a JSON object where `sub` is the attacker's LINE ID, but **`email` is omitted**.\n\n### Step 3: Execute Callback with Malicious Cookie\nSend the callback request with the valid `state` and the target administrator's email in the cookie.\n- **URL:** `\u002Fwp-json\u002Fform-notify\u002Fv1\u002Fcallback?code=mock_code&state={STATE_FROM_STEP_1}`\n- **Method:** `GET`\n- **Cookie Header:** `form_notify_line_email=admin@example.com`\n- **Tool:** `http_request`\n\n### Step 4: Capture Auth Cookies\nThe response to Step 3 should include `Set-Cookie` headers for `wordpress_logged_in_...`.\n\n## 6. Test Data Setup\n1. **Target User:** Ensure an administrator exists with email `admin@example.com`.\n   - `wp user create attacker attacker@example.com --role=administrator` (or use existing).\n2. **Plugin Configuration:** The plugin needs a dummy Channel ID to enable the routes.\n   - `wp option update form_notify_line_login_channel_id \"123456\"`\n   - `wp option update form_notify_line_login_channel_secret \"secret\"`\n\n## 7. Expected Results\n- The request to `\u002Fwp-json\u002Fform-notify\u002Fv1\u002Fcallback` should result in a `302 Redirect` (likely to the admin dashboard or the URL stored in `login_redirect_url`).\n- The response headers should contain a valid WordPress authentication cookie (`wordpress_logged_in_...`) for the administrator account.\n\n## 8. Verification Steps\n1. **Identify the session:** Capture the `wordpress_logged_in` cookie from the exploit response.\n2. **Verify Identity:** Use the captured cookie to make a request to `\u002Fwp-json\u002Fwp\u002Fv2\u002Fusers\u002Fme`.\n   - **Expected:** The response JSON should show `slug: \"admin\"` and `capabilities: { administrator: true }`.\n3. **Database Check:** Verify the `form_notify_line_user_id` meta was added to the admin user.\n   - `wp user meta get 1 form_notify_line_user_id`\n\n## 9. Alternative Approaches\nIf the `form_notify_line_email` cookie is not the direct injection point:\n- **Check `lgmode` Parameter:** The `User::set_login_redirect_url` function in `src\u002FAPIs\u002FLine\u002FLogin\u002FUser.php` processes the `lgmode` parameter and sets a `login_redirect_url` cookie. Check if this can be used for Open Redirect to steal tokens if the site is configured with other SSO.\n- **Sign-Up Flow:** If the target email does not exist, the plugin calls `User::sign_up()`. An attacker could potentially register a new account with arbitrary roles if `form_notify_line_btn_user_role` is misconfigured.","gemini-3-flash-preview","2026-05-20 17:42:39","2026-05-20 17:44:18",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.1.10","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-notify\u002Ftags\u002F1.1.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fform-notify.1.1.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-notify\u002Ftags\u002F1.1.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fform-notify.1.1.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-notify\u002Ftags"]