CVE-2026-39436 PUBLISHED

WordPress CformsII plugin <= 15.1.3 - Cross Site Request Forgery (CSRF) vulnerability

Assigner: Patchstack
Reserved: 07.04.2026 Published: 25.05.2026 Updated: 26.05.2026

Cross-Site Request Forgery (CSRF) vulnerability in bgermann CformsII allows Cross Site Request Forgery.

This issue affects CformsII: from n/a through 15.1.3.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
CVSS Score: 7.1

Product Status

Vendor bgermann
Product CformsII
Versions Default: unaffected
  • affected from n/a to 15.1.3 (incl.)

Solutions

Update the WordPress CformsII Plugin to the latest available version (at least 15.1.4).

Credits

  • Ilay Striechman | Patchstack Bug Bounty Program finder

References

Problem Types

  • CWE-352 Cross-Site Request Forgery (CSRF) CWE

Impacts

  • CAPEC-62 Cross Site Request Forgery