PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14956 Bricksforge CVE debrief

The Bricksforge plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.1.8.6. This is due to improper validation of the fieldIds parameter in the Pro Forms registration action, which allows attacker-supplied field IDs to be added to the trusted form-field whitelist. Successful exploitation requires that the site has a public Bricksforge Pro Forms element configured with the User Registration action. This vulnerability allows unauthenticated attackers to register a new administrator account by submitting a crafted request to a publicly accessible Bricksforge Pro Forms registration form.

Vendor
Bricksforge
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of the Bricksforge plugin for WordPress, particularly those with public Bricksforge Pro Forms elements configured with the User Registration action, should be aware of this vulnerability and take immediate action to protect their sites. This includes reviewing and restricting access to Bricksforge Pro Forms registration forms and monitoring for suspicious registration attempts.

Technical summary

The vulnerability exists due to improper validation of the fieldIds parameter in the Pro Forms registration action of the Bricksforge plugin for WordPress. This allows unauthenticated attackers to register a new administrator account by submitting a crafted request to a publicly accessible Bricksforge Pro Forms registration form. The vulnerability affects all versions of the Bricksforge plugin up to, and including, 3.1.8.6. Users with public Bricksforge Pro Forms elements configured with the User Registration action are particularly at risk. Successful exploitation requires that the site has such a form configured. This vulnerability enables attackers to escalate privileges, potentially leading to full control over the WordPress site. Therefore, users of the Bricksforge plugin for WordPress should review their configurations and update to the latest version to mitigate this vulnerability.

Defensive priority

High

Recommended defensive actions

  • Update the Bricksforge plugin to the latest version
  • Review and restrict access to Bricksforge Pro Forms registration forms
  • Monitor for suspicious registration attempts
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-17T02:18:03.870Z and has not been modified since then. The NVD entry is currently 9.8 CRITICAL. This vulnerability affects users of the Bricksforge plugin for WordPress, particularly those with public Bricksforge Pro Forms elements configured with the User Registration action. Evidence is limited to CVE and NVD details.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T02:18:03.870Z and has not been modified since then.