Security Alert Summary
The Advanced Form Integration – Connect Forms to 200+ Apps WordPress plugin before 2.1.1 contains a vulnerability that can allow unauthenticated visitors to create a user with the WordPress role assigned via a public form field. With a specific, non-default configuration that maps the created user role to a public form field, an attacker could create an administrator account.
CVE Details
- CVE ID: CVE-2026-11794
- Affected component: Advanced Form Integration – Connect Forms to 200+ Apps (WordPress plugin)
- Affected versions: Versions before 2.1.1 (versions < 2.1.1)
- Published: July 1, 2026 7:16:22 AM UTC
- Last modified: July 1, 2026 11:16:23 AM UTC
- CVSS v3.1: Base Score 8.1, Severity HIGH, Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Authentication / Privileges / User interaction: Authentication: None required; Privileges Required: None (PR:N); User Interaction: None (UI:N)
- Primary impact: Confidentiality: High; Integrity: High; Availability: High
- CWE / weakness ID: Not specified in the CVE data
Technical Details
According to the CVE description, the plugin does not restrict the WordPress role that is assigned when it creates a user from a public form submission. When an active integration is configured to map the user role to a public form field, and the plugin is in a specific non-default multi-integration configuration, an unauthenticated visitor submitting that form can cause the plugin to create a user account with the supplied role. Because there is no role restriction in that path, an attacker can create an account with administrator privileges if the integration maps the role field to an administrative role.
The vulnerability exists because the code path that handles user creation from public form submissions accepts role data from a mapped form field without enforcing role-filtering or role-validation checks. The CVE does not name specific functions or REST endpoints.
Impact: successful exploitation allows an unauthenticated actor to create an administrator account on the affected site under the described configuration, which could enable administrative actions consistent with that role.
How This Could Impact Your Website
Consider a site where a site owner delegates form configuration to an internal staff member and an external contractor integrates forms with third-party apps. If the integration is configured to map a form field to the WordPress user role, an attacker submitting the public form could create an administrator account. This could allow the attacker to:
- Gain administrative access to the WordPress dashboard and perform actions available to administrators.
- Increase the risk of exposure of internal user data, including email addresses, if administrative actions or settings reveal that information.
- Raise the likelihood of targeted phishing or social engineering against staff and contractors using harvested internal information.
If youâre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor-level and editor-level roles that can be escalated by integrations.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins and disable integrations that are not required.
- Monitor site activity and user creation logs for unusual behavior, such as unexpected account creation from public forms.
If youâd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.