CVE-2026-9178: CWE-862 Missing Authorization in hancock11 WP Forms Connector
The WP Forms Connector plugin for WordPress contains an information exposure vulnerability in all versions up to and including 1.8. The plugin's REST route wp/v3/user/list/<id> allows unauthenticated attackers to retrieve sensitive user information, including password hashes and email addresses, by supplying a valid administrator username and any password without proper password verification.
AI Analysis
Technical Summary
CVE-2026-9178 is a missing authorization vulnerability (CWE-862) in the WP Forms Connector WordPress plugin by hancock11. The plugin registers a REST API endpoint wp/v3/user/list/<id> with a permission callback that always returns true, effectively bypassing authorization checks. The authentication mechanism only verifies that the 'Username' HTTP header corresponds to an administrator account and that the 'Password' header is non-empty, but it does not validate the password using wp_check_password(). This flaw allows unauthenticated attackers to retrieve sensitive information for any user ID, including password hashes and email addresses, by sending a request with a valid admin username and any arbitrary password value.
Potential Impact
An attacker can obtain sensitive user information such as password hashes and email addresses without authentication. This exposure can lead to further attacks like offline password cracking or targeted phishing. The vulnerability does not allow modification or deletion of data but compromises confidentiality of user credentials.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the vulnerable REST endpoint and monitor for suspicious requests. Avoid using the plugin or downgrade to a version without this vulnerability if possible.
CVE-2026-9178: CWE-862 Missing Authorization in hancock11 WP Forms Connector
Description
The WP Forms Connector plugin for WordPress contains an information exposure vulnerability in all versions up to and including 1.8. The plugin's REST route wp/v3/user/list/<id> allows unauthenticated attackers to retrieve sensitive user information, including password hashes and email addresses, by supplying a valid administrator username and any password without proper password verification.
CVSS v3.1
Score 7.5high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9178 is a missing authorization vulnerability (CWE-862) in the WP Forms Connector WordPress plugin by hancock11. The plugin registers a REST API endpoint wp/v3/user/list/<id> with a permission callback that always returns true, effectively bypassing authorization checks. The authentication mechanism only verifies that the 'Username' HTTP header corresponds to an administrator account and that the 'Password' header is non-empty, but it does not validate the password using wp_check_password(). This flaw allows unauthenticated attackers to retrieve sensitive information for any user ID, including password hashes and email addresses, by sending a request with a valid admin username and any arbitrary password value.
Potential Impact
An attacker can obtain sensitive user information such as password hashes and email addresses without authentication. This exposure can lead to further attacks like offline password cracking or targeted phishing. The vulnerability does not allow modification or deletion of data but compromises confidentiality of user credentials.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the vulnerable REST endpoint and monitor for suspicious requests. Avoid using the plugin or downgrade to a version without this vulnerability if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-21T14:44:27.753Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3b7813eed863c81e5f730c
Added to database: 06/24/2026, 06:24:19 UTC
Last enriched: 06/24/2026, 06:39:18 UTC
Last updated: 06/24/2026, 10:25:01 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.