PT-2026-8088 · WordPress · Smart Forms
Lukasz Sobanski
·
Published
2026-02-14
·
Updated
2026-02-14
·
CVE-2026-2022
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Smart Forms plugin for WordPress versions prior to 2.7.0
Description
The Smart Forms plugin for WordPress has a flaw that allows unauthorized access to data. This is due to a missing capability check on the 'rednao smart forms get campaigns' AJAX action. Attackers with Subscriber-level access or higher can retrieve donation campaign data, including campaign IDs and names. The affected API endpoint is
rednao smart forms get campaigns.Recommendations
Update the Smart Forms plugin to version 2.7.0 or later.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Smart Forms