CVE-2026-11794 PUBLISHED

Advanced Form Integration < 2.1.1 - Unauthenticated Privilege Escalation via Breakdance Form Role Mapping

Assigner: WPScan
Reserved: 09.06.2026 Published: 01.07.2026 Updated: 01.07.2026

The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a user from a public form submission, allowing unauthenticated visitors to create an administrator account when an active integration maps the user role to a public form field. This requires a specific, non-default multi-Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 configuration.

Product Status

Vendor Unknown
Product Advanced Form Integration — Connect Forms to 200+ Apps
Versions Default: unaffected
  • affected from 0 to 2.1.1 (excl.)

Credits

  • Khaled Alenazi (Nxploited) finder
  • WPScan coordinator

References

Problem Types

  • CWE-269 Improper Privilege Management CWE