CVE-2026-24985
Missing Authorization in WP Forms Signature Contract Add-On
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| approveme | wp_forms_signature_contract_add_on | to 1.8.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24985 is a Broken Access Control vulnerability in the WordPress WP Forms Signature Contract Add-On Plugin versions up to and including 1.8.2.
The issue arises from missing authorization, authentication, or nonce token checks within certain functions, which allows unprivileged users to perform actions that should be restricted to higher-privileged roles.
This vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization, authentication, or nonce token checks within certain functions of the WP Forms Signature Contract Add-On Plugin versions up to 1.8.2.
Detection would involve verifying the plugin version installed on your WordPress system and checking for unauthorized access attempts or actions performed by users with Subscriber or Developer roles that should be restricted.
Since the vulnerability is related to broken access control in the plugin, you can detect it by running commands to identify the plugin version, such as:
- Use WP-CLI to check the plugin version: `wp plugin list | grep wp-forms-signature-contract-add-on`
- Review web server logs for suspicious requests or actions performed by low-privileged users that should require higher privileges.
- Monitor WordPress user roles and permissions to detect any unauthorized privilege escalations or actions.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the WP Forms Signature Contract Add-On Plugin to version 1.8.3 or later, where this vulnerability has been fixed.
Additionally, you should ensure that user roles and permissions are properly configured to prevent unprivileged users from performing restricted actions.
Using automated update tools like Patchstack can help rapidly protect your system by applying patches as soon as they are available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Broken Access Control issue that allows unprivileged users to perform actions reserved for higher-privileged roles due to missing authorization checks.
While the vulnerability could potentially lead to unauthorized access or actions within the affected plugin, the provided information does not specify any direct impact on compliance with common standards and regulations such as GDPR or HIPAA.
Therefore, based on the available data, there is no explicit indication that this vulnerability directly affects compliance with these regulations.
How can this vulnerability impact me? :
Exploiting this vulnerability allows users with at least Subscriber or Developer roles to perform unauthorized actions that are normally reserved for higher-privileged users.
Although the CVSS score is 4.3, indicating low severity with minimal impact and low likelihood of exploitation, it can still lead to unauthorized access or changes within the affected plugin.
Users are advised to update to version 1.8.3 or later to mitigate this risk.