CVE-2026-5229
published 2026-05-15CVE-2026-5229: The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.73%
49.6th percentile
The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to authenticate after a LINE OAuth login. When LINE doesn't provide an email address (which is common), the plugin falls back to reading the 'form_notify_line_email' cookie value without verifying that the LINE account is associated with that email address. This makes it possible for unauthenticated attackers to gain access to any user account on the site, including administrator accounts, by completing a LINE OAuth flow with their own LINE account while injecting a malicious cookie containing the target victim's email address.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| m615926 | receive_notifications_after_form_submitting_form_notify_for_any_forms | <= 1.1.10 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
m615926 Receive Notifications After Form Submitting Plugin Cookie form_notify_line_email improper authentication (EUVD-2026-30516)
vuldb·2026-05-15·CVSS 9.8
CVE-2026-5229 [CRITICAL] m615926 Receive Notifications After Form Submitting Plugin Cookie form_notify_line_email improper authentication (EUVD-2026-30516)
A vulnerability classified as critical has been found in m615926 Receive Notifications After Form Submitting Plugin up to 1.1.10 on WordPress. This impacts the function form_notify_line_email of the component Cookie Handler. This manipulation causes improper authentication.
This vulnerability appears as CVE-2026-5229. The attack may be initiated remotely. There is no available exploit.
It is recommended to upgrade the affected component.
GHSA
GHSA-6cpv-j32f-rqmr: The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1
ghsa_unreviewed·2026-05-15
CVE-2026-5229 [CRITICAL] CWE-287 GHSA-6cpv-j32f-rqmr: The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1
The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to authenticate after a LINE OAuth login. When LINE doesn't provide an email address (which is common), the plugin falls back to reading the 'form_notify_line_email' cookie value without verifying that the LINE account is associated with that email address. This makes it possible for unauthenticated attackers to gain access to any user account on the site, including administrator accounts, by completing a LINE OAuth flow with their own LINE account while injecting a malicious cookie containing the target victim's email address.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/oberonlai/form-notify/commit/5eab0eahttps://github.com/oberonlai/form-notify/commit/9780764https://plugins.trac.wordpress.org/browser/form-notify/tags/1.1.08/src/APIs/Line/Login/Route.php#L116-L118https://plugins.trac.wordpress.org/browser/form-notify/tags/1.1.08/src/APIs/Line/Login/User.php#L53https://plugins.trac.wordpress.org/browser/form-notify/tags/1.1.08/src/APIs/Line/Login/User.php#L72https://plugins.trac.wordpress.org/browser/form-notify/trunk/src/APIs/Line/Login/Route.php#L116-L118https://plugins.trac.wordpress.org/browser/form-notify/trunk/src/APIs/Line/Login/User.php#L53https://plugins.trac.wordpress.org/browser/form-notify/trunk/src/APIs/Line/Login/User.php#L72https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3517908%40form-notify&new=3517908%40form-notify&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/2f0a7d6f-9b95-4052-bab3-85aca01f6ab7?source=cve
2026-05-15
Published