CVE-2026-11794
Received Received - Intake

Unauthenticated Administrator Account Creation in Advanced Form Integration WordPress Plugin

Vulnerability report for CVE-2026-11794, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: WPScan

Description

The Advanced Form Integration β€” Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a user from a public form submission, allowing unauthenticated visitors to create an administrator account when an active integration maps the user role to a public form field. This requires a specific, non-default multi-Advanced Form Integration β€” Connect Forms to 200+ Apps WordPress plugin before 2.1.1 configuration.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
advanced_form_integration advanced_form_integration to 2.1.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Advanced Form Integration plugin for WordPress before version 2.1.1 has a vulnerability that allows unauthenticated attackers to create administrator accounts.

This happens when a specific multi-plugin configuration is used, including Advanced Form Integration 2.1.0, WooCommerce or FluentAffiliate, and Breakdance with a published form.

The vulnerability arises because the plugin does not restrict the WordPress role assigned when creating a user from a public form submission if an admin maps the user role field in an integration to a public form field.

An attacker can submit a crafted form setting the role to "administrator" and use the email as both login and password, thereby creating a new WordPress user with administrator privileges without authentication.

This is a privilege escalation vulnerability classified under OWASP's A2 category for broken authentication and session management.

Impact Analysis

This vulnerability allows an unauthenticated attacker to gain administrator access to a WordPress site.

With administrator privileges, the attacker can fully control the website, including modifying content, installing malicious plugins or themes, stealing sensitive data, and disrupting site operations.

Such unauthorized access can lead to data breaches, defacement, loss of user trust, and potential further exploitation of the server or network.

Detection Guidance

This vulnerability can be detected by checking for the presence of the Advanced Form Integration WordPress plugin version prior to 2.1.1, especially if it is configured with multiple integrations such as WooCommerce or FluentAffiliate and Breakdance with a published form.

To detect if an unauthorized administrator account has been created, you can review the WordPress user list for any suspicious administrator accounts that may have been created via form submissions.

Suggested commands to help detect this vulnerability or its exploitation include:

  • Use WP-CLI to list all users with administrator roles: `wp user list --role=administrator`
  • Check the plugin version installed: `wp plugin status advanced-form-integration` or `wp plugin list | grep advanced-form-integration`
  • Review recent user registrations in the WordPress database, for example by querying the `wp_users` table for recent entries with suspicious usernames or emails.
Mitigation Strategies

The immediate mitigation step is to update the Advanced Form Integration plugin to version 2.1.1 or later, where this vulnerability has been fixed.

Additionally, review and modify any multi-plugin configurations that map user roles to public form fields to ensure that unauthenticated users cannot assign themselves administrator privileges.

As a precaution, audit the list of administrator accounts for any unauthorized users created via this vulnerability and remove them if found.

Compliance Impact

This vulnerability allows unauthenticated attackers to create administrator accounts on a WordPress site by exploiting a misconfiguration in the Advanced Form Integration plugin. Such unauthorized privilege escalation can lead to unauthorized access to sensitive data and administrative functions.

From a compliance perspective, this unauthorized access could result in violations of common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data. If attackers gain administrator privileges, they could access, modify, or exfiltrate protected data, thereby compromising compliance.

Therefore, organizations using affected versions of this plugin without the fix may face increased risk of non-compliance due to potential data breaches or unauthorized data access stemming from this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11794. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart