PatchSiren cyber security CVE debrief
CVE-2026-39436 bgermann CVE debrief
A Cross-Site Request Forgery (CSRF) vulnerability exists in the CformsII WordPress plugin, affecting versions up to and including 15.1.3. The vulnerability allows an attacker to perform unauthorized actions on behalf of an authenticated user by tricking them into submitting a malicious request. With a CVSS 3.1 score of 7.1 (HIGH), this issue presents significant risk due to its network attack vector, low attack complexity, and high availability impact—indicating that successful exploitation could disrupt service availability. The vulnerability was published in the CVE database on May 25, 2026, with subsequent modification on May 26, 2026. The NVD entry currently carries a 'Deferred' status, suggesting analysis is ongoing. No known exploitation in ransomware campaigns has been reported, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Vendor
- bgermann
- Product
- CformsII
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
WordPress site administrators using CformsII plugin versions 15.1.3 or earlier; security teams managing WordPress deployments; developers maintaining forks or customizations of CformsII
Technical summary
The CformsII plugin for WordPress contains a Cross-Site Request Forgery vulnerability due to insufficient validation of requests. An attacker can craft a malicious request that, when executed by an authenticated administrator, performs unintended actions such as modifying plugin settings or forms. The vulnerability requires user interaction (the victim must click a link or visit a malicious page) but can be exploited without authentication to the target site. The high availability impact in the CVSS scoring suggests that exploitation may lead to denial of service conditions or data loss affecting plugin functionality.
Defensive priority
HIGH
Recommended defensive actions
- Update CformsII plugin to a version newer than 15.1.3 if available, or apply vendor-provided patches
- Implement CSRF protection tokens in custom implementations if maintaining a fork
- Review and restrict administrative access to WordPress dashboards to reduce attack surface
- Enable WordPress security headers including SameSite cookie attributes
- Monitor for unauthorized form submissions or configuration changes in CformsII
- Consider temporarily disabling the plugin if no patch is available and the functionality is not critical
Evidence notes
The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H indicates network accessibility, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, low integrity impact, and high availability impact. The weakness is classified as CWE-352 (Cross-Site Request Forgery).
Official resources
-
CVE-2026-39436 CVE record
CVE.org
-
CVE-2026-39436 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
The CVE record was published on May 25, 2026, and modified on May 26, 2026. The vulnerability affects CformsII versions from n/a through 15.1.3. The NVD status is currently 'Deferred,' indicating the entry is awaiting further analysis.