CVE-2026-9178 in WP Forms Connector Plugin
Summary
by MITRE • 06/24/2026
The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/ (callback userDetail()) with permission_callback set to '__return_true', and the function's home-grown authentication only verifies that the supplied 'Username' HTTP header maps to an administrator account and that a 'Password' HTTP header is non-empty. It never validates the password with wp_check_password() (unlike the sibling delete_wc_user() function which does). This makes it possible for unauthenticated attackers to retrieve sensitive information for any registered user ID — including the WordPress password hash (user_pass) and email address — by sending a request with a valid administrator login name (commonly the default 'admin') and any arbitrary password value.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/24/2026
The WP Forms Connector plugin for WordPress presents a critical information exposure vulnerability that affects all versions up to and including 1.8. This flaw resides in the plugin's REST API implementation where it registers a route at wp/v3/user/list/ with a callback function named userDetail(). The vulnerability stems from improper permission validation within the plugin's authentication mechanism, creating a significant security gap that allows unauthorized access to sensitive user data.
The technical flaw manifests through the permission_callback parameter being set to '__return_true', which effectively disables any authentication requirements for accessing this specific REST endpoint. The plugin's custom authentication logic only verifies that a supplied 'Username' HTTP header corresponds to an administrator account and that a 'Password' HTTP header is non-empty, but fails to actually validate the password against the WordPress user database using the standard wp_check_password() function. This design flaw directly contravenes established security practices and creates a path for attackers to bypass authentication entirely.
The operational impact of this vulnerability is severe as it enables unauthenticated attackers to retrieve comprehensive user information for any registered WordPress user account. The exposed data includes sensitive password hashes stored in the user_pass field, email addresses, and potentially other user profile information that could be leveraged for further attacks including credential stuffing, social engineering campaigns, or targeted phishing attempts. Attackers can exploit this vulnerability by simply sending a request with any valid administrator username such as the default 'admin' account and an arbitrary password value, making the attack surface extremely broad and accessible.
The vulnerability aligns with CWE-200 (Information Exposure) and represents a classic case of inadequate authentication controls within REST API endpoints. From an att&ck framework perspective, this weakness maps to T1566.002 (Phishing for Information) and T1078 (Valid Accounts) as it allows adversaries to harvest user credentials without requiring valid login sessions. The flaw particularly affects the principle of least privilege by granting unrestricted access to sensitive user data through a path that should require proper authentication. Organizations using this plugin face elevated risk of credential compromise and potential account takeover scenarios, especially when default administrator usernames are utilized.
Mitigation strategies should immediately involve upgrading to a patched version of the plugin if available, or implementing temporary workarounds such as restricting access to the vulnerable REST endpoint through firewall rules or web application firewalls. Administrators should also consider changing default administrator usernames and implementing additional authentication layers including two-factor authentication. The vulnerability highlights the importance of proper input validation and authentication handling in WordPress plugins, particularly when dealing with sensitive data exposure scenarios that could lead to broader system compromise.