CVE-2026-32527
Missing Authorization in WP Insightly Plugin Affects Multiple Form Builders
Publication date: 2026-03-25
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| crm_perks | wp_insightly_for_contact_form_7 | to 1.1.5 (inc) |
| wpforms | wpforms | to 1.1.5 (inc) |
| elementor | elementor | to 1.1.5 (inc) |
| formidable | formidable | to 1.1.5 (inc) |
| ninja_forms | ninja_forms | to 1.1.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32527 is a Missing Authorization vulnerability in the WordPress plugin "WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms" versions up to and including 1.1.5.
This vulnerability is a Broken Access Control issue caused by missing authorization, authentication, or nonce token checks in certain functions of the plugin.
It allows unprivileged users, such as subscribers or developers, to perform actions that should be restricted to higher privileged roles.
The issue falls under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to perform privileged actions within the affected WordPress plugin.
Such unauthorized actions can lead to potential compromise of website functionality or data integrity.
Because the vulnerability can be exploited by low-privilege users, it increases the risk of mass exploitation campaigns targeting many websites.
If exploited, it could result in unauthorized access or manipulation of contact form data or other plugin-related features.
Users are strongly advised to update to version 1.1.6 or later to mitigate this risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization, authentication, or nonce token checks in certain functions of the WP Insightly plugin, allowing unprivileged users to perform restricted actions.
Detection can involve monitoring for unusual or unauthorized access attempts to the plugin's endpoints or functions, especially those that should require higher privilege levels.
While specific commands are not provided, network administrators can use web server logs or intrusion detection systems to look for suspicious POST or GET requests targeting the plugin's URLs or parameters.
Additionally, scanning the installed plugin version to verify if it is at or below 1.1.5 can help identify vulnerable installations.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate step is to update the WP Insightly plugin to version 1.1.6 or later, which contains the patch for this broken access control vulnerability.
For those unable to update immediately, applying the mitigation rule provided by Patchstack can block exploitation attempts until the plugin is patched.
Enabling automatic updates for vulnerable plugins and using continuous security intelligence services can also help protect WordPress sites from exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.