CVE-2026-2022
Unauthorized Data Access in Smart Forms WordPress Plugin
Publication date: 2026-02-14
Last updated on: 2026-02-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rednao | smart_forms | to 2.6.99 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Smart Forms plugin for WordPress, specifically in the 'rednao_smart_forms_get_campaigns' AJAX action. This action lacks a proper capability check, which means that authenticated users with Subscriber-level access or higher can exploit it to retrieve donation campaign data.
The exposed data includes campaign IDs and names, which should normally be restricted. The issue affects all versions of the plugin up to and including version 2.6.99.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with low-level access (Subscriber and above) to access donation campaign information that they should not normally see.
While the impact is limited to disclosure of campaign IDs and names (no modification or deletion), it can lead to unauthorized exposure of sensitive campaign data, potentially aiding further attacks or information gathering.
The CVSS score of 4.3 (Medium severity) reflects that the vulnerability is remotely exploitable over the network with low complexity and no user interaction required, but it only impacts confidentiality.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves unauthorized access to the AJAX action 'rednao_smart_forms_get_campaigns' in the Smart Forms WordPress plugin. To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting this AJAX endpoint."}, {'type': 'paragraph', 'content': 'Specifically, look for authenticated requests (with at least Subscriber-level access) to the URL pattern similar to: wp-admin/admin-ajax.php?action=rednao_smart_forms_get_campaigns'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such activity include:'}, {'type': 'list_item', 'content': "Using web server logs (e.g., Apache or Nginx), grep for the AJAX action: grep 'action=rednao_smart_forms_get_campaigns' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "Using command-line tools to monitor live traffic for this AJAX action: sudo tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'action=rednao_smart_forms_get_campaigns'"}, {'type': 'list_item', 'content': "If you have access to WordPress logs or can enable debug logging, monitor for calls to the 'rednao_smart_forms_get_campaigns' AJAX action."}] [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should immediately restrict access to the vulnerable AJAX action by ensuring proper capability checks are in place.
Since the vulnerability allows any authenticated user with Subscriber-level access or higher to retrieve sensitive campaign data, consider the following steps:
- Update the Smart Forms plugin to a version later than 2.6.99 where the missing capability check is fixed.
- If an update is not immediately available, temporarily disable or restrict access to the 'rednao_smart_forms_get_campaigns' AJAX action by modifying the plugin code or using security plugins to block access.
- Review user roles and permissions to limit Subscriber-level users from accessing sensitive data if possible.
- Monitor logs for suspicious access attempts to the vulnerable AJAX endpoint.