The vulnerability identified as CVE-2026-2022 affects the Smart Forms plugin for WordPress, developed by edgarrojas, specifically versions up to and including 2.6.99. The core issue is a missing authorization check on the AJAX action 'rednao_smart_forms_get_campaigns'. This AJAX endpoint is intended to retrieve donation campaign data, including campaign IDs and names. Due to the lack of proper capability verification, any authenticated user with at least Subscriber-level access can invoke this action and retrieve sensitive campaign information without further privileges. The vulnerability falls under CWE-862 (Missing Authorization), indicating that the system fails to enforce proper access controls before granting access to sensitive data. The CVSS 3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based (AV:N), requires low attack complexity (AC:L), and only requires privileges of a low-level authenticated user (PR:L). There is no user interaction required (UI:N), and the impact is limited to confidentiality (C:L), with no impact on integrity or availability. No patches were linked at the time of publication, and no known exploits have been reported in the wild. The vulnerability allows attackers to gather information that could be used for further social engineering or targeted attacks against organizations using the plugin for donation campaigns.

For European organizations, the primary impact of this vulnerability is the unauthorized disclosure of donation campaign data, which may include campaign IDs and names. While this does not directly compromise the integrity or availability of systems, the leakage of campaign information can lead to reputational damage, loss of donor trust, and potential exploitation in social engineering or phishing attacks targeting donors or staff. Nonprofit organizations and charities using the Smart Forms plugin to manage donation campaigns are particularly at risk. Additionally, attackers with subscriber-level access could use this information to map organizational fundraising activities, potentially aiding in more sophisticated attacks. Given the widespread use of WordPress across Europe, especially among small and medium-sized enterprises and nonprofits, the scope of affected systems could be significant. However, the requirement for authenticated access limits the attack surface to users who already have some level of access, reducing the risk of external, unauthenticated exploitation.

To mitigate this vulnerability, European organizations should first verify if they are using the Smart Forms plugin by edgarrojas, particularly versions up to 2.6.99. Since no official patch links are provided, organizations should monitor the vendor's announcements for updates or security patches and apply them promptly once available. In the interim, administrators should restrict user roles and permissions rigorously, ensuring that only trusted users have Subscriber-level or higher access. Implementing additional access control measures on the AJAX endpoint, such as custom capability checks or firewall rules that limit access to trusted IP ranges, can reduce exposure. Employing Web Application Firewalls (WAFs) with rules to detect and block unauthorized AJAX requests targeting 'rednao_smart_forms_get_campaigns' can also help. Regularly auditing user accounts and removing unnecessary or inactive users will minimize the number of potential attackers with authenticated access. Finally, organizations should educate users about the risks of phishing and social engineering that could leverage leaked campaign information.