PatchSiren cyber security CVE debrief
CVE-2026-14956 Bricksforge CVE debrief
The Bricksforge plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.1.8.6. This is due to improper validation of the fieldIds parameter in the Pro Forms registration action, which allows attacker-supplied field IDs to be added to the trusted form-field whitelist. Successful exploitation requires that the site has a public Bricksforge Pro Forms element configured with the User Registration action. This vulnerability allows unauthenticated attackers to register a new administrator account by submitting a crafted request to a publicly accessible Bricksforge Pro Forms registration form.
- Vendor
- Bricksforge
- Product
- Unknown
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of the Bricksforge plugin for WordPress, particularly those with public Bricksforge Pro Forms elements configured with the User Registration action, should be aware of this vulnerability and take immediate action to protect their sites. This includes reviewing and restricting access to Bricksforge Pro Forms registration forms and monitoring for suspicious registration attempts.
Technical summary
The vulnerability exists due to improper validation of the fieldIds parameter in the Pro Forms registration action of the Bricksforge plugin for WordPress. This allows unauthenticated attackers to register a new administrator account by submitting a crafted request to a publicly accessible Bricksforge Pro Forms registration form. The vulnerability affects all versions of the Bricksforge plugin up to, and including, 3.1.8.6. Users with public Bricksforge Pro Forms elements configured with the User Registration action are particularly at risk. Successful exploitation requires that the site has such a form configured. This vulnerability enables attackers to escalate privileges, potentially leading to full control over the WordPress site. Therefore, users of the Bricksforge plugin for WordPress should review their configurations and update to the latest version to mitigate this vulnerability.
Defensive priority
High
Recommended defensive actions
- Update the Bricksforge plugin to the latest version
- Review and restrict access to Bricksforge Pro Forms registration forms
- Monitor for suspicious registration attempts
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-17T02:18:03.870Z and has not been modified since then. The NVD entry is currently 9.8 CRITICAL. This vulnerability affects users of the Bricksforge plugin for WordPress, particularly those with public Bricksforge Pro Forms elements configured with the User Registration action. Evidence is limited to CVE and NVD details.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T02:18:03.870Z and has not been modified since then.