The vulnerability identified as CVE-2026-2022 affects the Smart Forms plugin for WordPress, developed by edgarrojas, specifically versions up to and including 2.6.99. The root cause is a missing authorization check (CWE-862) on the AJAX action 'rednao_smart_forms_get_campaigns'. This AJAX endpoint is intended to provide donation campaign data but fails to verify whether the requesting user has sufficient privileges. As a result, any authenticated user with at least Subscriber-level access can invoke this action and retrieve sensitive information such as campaign IDs and names. The vulnerability is exploitable remotely without user interaction, leveraging the plugin's AJAX interface. The CVSS v3.1 base score is 4.3 (medium), reflecting the low complexity of exploitation (AC:L), the requirement for low privileges (PR:L), no user interaction (UI:N), and limited impact confined to confidentiality (C:L) without affecting integrity or availability. No patches are currently linked, and no known exploits have been observed in the wild. This vulnerability could facilitate information disclosure that attackers might use for social engineering, reconnaissance, or targeted attacks against organizations using the plugin for donation campaigns.

The primary impact of this vulnerability is unauthorized disclosure of donation campaign data, which may include campaign identifiers and names. While this does not directly compromise system integrity or availability, the exposure of campaign information can have several downstream effects. Attackers could leverage this data to craft targeted phishing or social engineering campaigns against donors or staff. It may also reveal organizational fundraising strategies or priorities, potentially harming reputation or competitive positioning. For organizations relying on the Smart Forms plugin to manage sensitive fundraising data, this vulnerability represents a privacy risk and could lead to loss of donor trust. Since exploitation requires only Subscriber-level access, attackers could gain initial footholds through compromised low-privilege accounts or weak registration controls. The scope of affected systems includes all WordPress sites using the vulnerable versions of the Smart Forms plugin, which may be widespread given WordPress's global popularity in nonprofit and small business sectors.

To mitigate this vulnerability, organizations should first verify whether they use the Smart Forms plugin by edgarrojas and identify the installed version. If running a vulnerable version (up to 2.6.99), they should immediately update to a patched version once available from the vendor. In the absence of an official patch, administrators can implement temporary workarounds such as restricting access to the AJAX endpoint via web application firewall (WAF) rules or custom code that enforces capability checks on 'rednao_smart_forms_get_campaigns'. Additionally, review and tighten user role assignments to minimize the number of accounts with Subscriber-level or higher privileges, and monitor logs for suspicious AJAX requests targeting this action. Employing strong authentication and account security controls reduces the risk of low-privilege account compromise. Finally, organizations should audit their donation campaign data exposure and consider encrypting or limiting sensitive information accessible through plugins.