CVE-2026-14956
Received Received - Intake

Privilege Escalation in Bricksforge WordPress Plugin

Vulnerability report for CVE-2026-14956, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Wordfence

Description

The Bricksforge plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.1.8.6. This is due to improper validation of the fieldIds parameter in the Pro Forms registration action, which allows attacker-supplied field IDs to be added to the trusted form-field whitelist. This makes it possible for unauthenticated attackers to register a new administrator account by submitting a crafted request to a publicly accessible Bricksforge Pro Forms registration form. Successful exploitation requires that the site has a public Bricksforge Pro Forms element configured with the User Registration action.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bricksforge bricksforge to 3.1.8.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Bricksforge plugin for WordPress has a privilege escalation vulnerability in versions up to 3.1.8.6. It allows unauthenticated attackers to register a new administrator account by exploiting improper validation of the fieldIds parameter in the Pro Forms registration action. This happens when a crafted request is submitted to a publicly accessible Bricksforge Pro Forms registration form.

Detection Guidance

Check if your Bricksforge plugin version is 3.1.8.6 or lower. If so, update to version 3.1.8.7 or higher immediately. Inspect WordPress user accounts for unauthorized administrator accounts.

Impact Analysis

An attacker could gain full administrative access to your WordPress site, allowing them to take control of the site, modify content, install malicious plugins, or steal sensitive data. This requires the site to have a public Bricksforge Pro Forms element configured with the User Registration action.

Compliance Impact

This vulnerability allows unauthenticated attackers to register administrator accounts, which could lead to unauthorized access to sensitive data. This may violate GDPR's data protection requirements and HIPAA's access controls for protected health information if exploited.

Mitigation Strategies

Update the Bricksforge plugin to version 3.1.8.7 or later. Remove any unauthorized administrator accounts found in WordPress. Ensure no public Bricksforge Pro Forms elements are configured with User Registration actions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14956. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart