WP-Safety
CVE-2026-2022

Smart Forms <= 2.6.100 - Missing Authorization to Authenticated (Subscriber+) Campaign Data Exposure

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.6.101
Patched in
80d
Time to patch

Description

The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednao_smart_forms_get_campaigns' AJAX action in all versions up to, and including, 2.6.100. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve donation campaign data including campaign IDs and names.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=2.6.100
PublishedFebruary 13, 2026
Last updatedMay 4, 2026
Affected pluginsmart-forms
Research Plan
Unverified

# Research Plan: CVE-2026-2022 Smart Forms Campaign Data Exposure ## 1. Vulnerability Summary The **Smart Forms** plugin for WordPress (up to version 2.6.99) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the action `rednao_smart_forms_get_campaigns` fails …

Show full research plan

Research Plan: CVE-2026-2022 Smart Forms Campaign Data Exposure

1. Vulnerability Summary

The Smart Forms plugin for WordPress (up to version 2.6.99) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the action rednao_smart_forms_get_campaigns fails to verify the capabilities of the requesting user. While the action is registered via wp_ajax_, which requires an authenticated session, it does not restrict access to administrative users. Consequently, any authenticated user, including those with the Subscriber role, can trigger this action to retrieve a list of donation campaigns, exposing internal campaign IDs and names.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: rednao_smart_forms_get_campaigns
  • HTTP Method: POST
  • Authentication: Required (Subscriber or higher)
  • Parameters:
    • action: rednao_smart_forms_get_campaigns
    • security or nonce (inferred): Potential nonce check (see Section 4).
  • Preconditions: At least one campaign must exist in the system for data to be returned.

3. Code Flow

  1. Registration: The plugin registers the AJAX handler (likely in an initialization class or a dedicated AJAX controller).
    • add_action( 'wp_ajax_rednao_smart_forms_get_campaigns', [ $instance, 'rednao_smart_forms_get_campaigns' ] );
  2. Entry Point: A POST request is sent to admin-ajax.php with action=rednao_smart_forms_get_campaigns.
  3. Missing Check: The handler function (e.g., rednao_smart_forms_get_campaigns()) is executed. It typically performs a database query (likely against a custom table like wp_rednao_smart_forms_campaigns or via a specific class method).
  4. Vulnerability: The function lacks a call to current_user_can( 'manage_options' ) or a similar capability check before fetching and echoing the campaign data.
  5. Data Sink: The function returns a JSON array of objects containing campaign details to the requester.

4. Nonce Acquisition Strategy

The plugin likely uses a nonce to protect its AJAX actions. Based on standard RedNao plugin patterns:

  1. Identify Script Localization: Search for wp_localize_script in the plugin source to find the object name. It is likely named something like rn_smart_forms_data or rednao_smart_forms_vars.
  2. Shortcode Method: If the nonce is only loaded on specific pages, find a shortcode (e.g., [smart-form]) and create a page with it.
  3. Admin Dashboard Method: Since this is a Subscriber+ vulnerability, the nonce may be available in the standard WordPress admin dashboard for all logged-in users if the plugin enqueues its scripts for all authenticated users.

Execution Steps for Agent:

  • Navigate to the WordPress dashboard as a Subscriber.
  • Run the following in browser_eval:
    // Look for common RedNao nonce locations
window.rn_smart_forms_data?.nonce || 
window.rednao_smart_forms_vars?.nonce || 
document.querySelector('input[name="security"]')?.value
  • If not found, search the plugin source for wp_create_nonce('rednao_smart_forms_get_campaigns') or similar strings to identify the exact nonce action name.

5. Exploitation Strategy

  1. Login: Authenticate as a Subscriber-level user.
  2. Extract Nonce: Use the browser_eval tool to extract the required nonce from the admin dashboard or a page where the plugin is active.
  3. Perform Request: Use http_request to call the vulnerable AJAX action.

Request Details:

  • URL: http://<target>/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: action=rednao_smart_forms_get_campaigns&security=<NONCE_VALUE>
    (Note: The parameter name for the nonce might be security, nonce, or _wpnonce. Verify this in the source code.)

6. Test Data Setup

To ensure a successful proof of concept, campaign data must exist:

  1. Create Campaign: Use WP-CLI or the plugin UI (as Admin) to create at least two donation campaigns.
    • Example (Inferred SQL if UI is complex):
      wp db query "INSERT INTO wp_rednao_smart_forms_campaigns (name, description) VALUES ('Spring Fundraiser 2024', 'Annual spring drive'), ('Emergency Relief', 'Disaster support');"
  2. Create Subscriber:
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password123

7. Expected Results

  • Success: The server responds with HTTP 200 OK and a JSON body containing an array of campaign objects.
    • Example Response: [{"id":"1","name":"Spring Fundraiser 2024"},{"id":"2","name":"Emergency Relief"}]
  • Failure: The server responds with HTTP 403 Forbidden or a -1 / 0 (standard WordPress AJAX error) if the nonce is wrong or if a capability check is actually present.

8. Verification Steps

  1. Manual Check: Compare the JSON output from the exploit against the list of campaigns visible in the Admin UI.
  2. Database Check: Verify the IDs and names match the database:
    • wp db query "SELECT id, name FROM wp_rednao_smart_forms_campaigns;"

9. Alternative Approaches

  • Missing Nonce Check: If wp_verify_nonce is also missing or uses the default action -1, the exploit may work without a valid specific nonce or even with an invalid one.
  • REST API: Check if the plugin registers a similar endpoint under wp-json/. Vulnerabilities in RedNao plugins often span across both AJAX and REST interfaces. Search for register_rest_route.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Smart Forms plugin for WordPress is vulnerable to unauthorized data disclosure due to a missing authorization check in its AJAX handler for donation campaigns. This allows authenticated users with Subscriber-level permissions or higher to retrieve sensitive campaign metadata, including internal IDs and names, which should be restricted to administrators.

Vulnerable Code

// File: smart-forms/includes/ajax-logic.php (approximate)

add_action( 'wp_ajax_rednao_smart_forms_get_campaigns', [ $this, 'rednao_smart_forms_get_campaigns' ] );

public function rednao_smart_forms_get_campaigns() {
    // Potential nonce check might exist here, but capability check is missing
    // check_ajax_referer('rednao_smart_forms_nonce', 'security');

    global $wpdb;
    $table_name = $wpdb->prefix . 'rednao_smart_forms_campaigns';
    $results = $wpdb->get_results("SELECT id, name FROM $table_name");

    echo json_encode($results);
    wp_die();
}

Security Fix

--- a/smart-forms/includes/ajax-logic.php
+++ b/smart-forms/includes/ajax-logic.php
@@ -1,4 +1,8 @@
 public function rednao_smart_forms_get_campaigns() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( -1 );
+    }
+
     check_ajax_referer( 'rednao_smart_forms_nonce', 'security' );
 
     global $wpdb;

Exploit Outline

The exploit targets the WordPress AJAX endpoint to leak campaign information. An attacker follows these steps: 1. Authenticate as a Subscriber-level user. 2. Access the WordPress dashboard or a page with a Smart Form to extract a valid nonce (likely associated with the 'security' or 'nonce' parameter) found in global JavaScript variables like 'rn_smart_forms_data'. 3. Send a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'rednao_smart_forms_get_campaigns' and the extracted 'security' nonce. 4. The server responds with a JSON array containing the names and IDs of all donation campaigns stored in the plugin's database tables.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/381ec109-ca51-4011-b7e0-aec636540d59?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database