A critical authentication bypass vulnerability in a WordPress form notification plugin is exposing website administrators to complete account takeover through a cookie manipulation attack that requires no user interaction and no authentication from the attacker.

The vulnerability, tracked as CVE-2026-5229 with a CVSS severity score of 9.8, affects all versions of the "Receive Notifications After Form Submitting – Form Notify for Any Forms" plugin up to and including version 1.1.10. The flaw allows remote attackers to bypass authentication entirely by manipulating cookie data that the plugin incorrectly trusts to determine which WordPress account to authenticate.

Security researchers disclosed the vulnerability publicly on May 18, with version 1.1.11 released as a patch. With over 30 active installations according to WordPress.org statistics, the vulnerability represents a limited but severe exposure for affected sites — particularly those in Asian markets where the plugin's LINE Notify and SMS integration features are most popular.

Technical Analysis

The vulnerability stems from the plugin's decision to trust user-controlled cookie data without proper validation when determining authentication state. In secure implementations, authentication decisions must rely on server-side session management with cryptographically signed tokens. This plugin instead accepts cookie values provided by the client, allowing an attacker to craft malicious cookies that grant administrative access.

The attack vector is network-based with low complexity. An unauthenticated attacker can send specially crafted HTTP requests with modified cookie headers to the vulnerable plugin endpoints. Because the plugin fails to verify these cookies against server-side session data, it accepts the attacker-supplied values as legitimate authentication credentials.

This grants attackers the ability to hijack form notification workflows, redirecting sensitive form submissions to attacker-controlled email addresses or webhooks. More critically, depending on how the plugin implements its notification handlers, successful exploitation could enable attackers to invoke privileged functionality, modify plugin settings, or establish persistence through backdoor accounts.

The vulnerability falls under OWASP's "Identification and Authentication Failures" category — formerly known as Broken Authentication in earlier OWASP Top 10 classifications. Cookie-based authentication bypass vulnerabilities have remained a persistent problem in WordPress plugins despite extensive documentation of secure authentication patterns.

Exploitation and Impact

While no evidence of active mass exploitation has surfaced in public threat intelligence feeds, the vulnerability's characteristics make it an attractive target. The attack requires no authentication, no user interaction, and presents low technical complexity — meeting the criteria for what Patchstack classifies as "exploitable in real-world attacks."

Successful exploitation enables several attack scenarios. At minimum, attackers can intercept sensitive data from form submissions by redirecting notification emails to their own infrastructure. More sophisticated attacks could leverage notification functions to trigger server-side activities, potentially chaining this vulnerability with other weaknesses to achieve remote code execution or establish persistent backdoors.

The broader WordPress ecosystem context amplifies concern. [Source: Patchstack threat intelligence report needed] identified 6,700 new vulnerabilities in WordPress plugins and themes in the first six months of 2025, with 41% classified as exploitable. Industry data consistently shows that 92% of successful WordPress breaches originate from plugins and themes rather than WordPress core.

Vendor Response and Mitigation

The plugin developer released version 1.1.11 as a patch, though public statements explaining the fix timeline or implementation details were not available at publication. The WordPress.org plugin repository shows the plugin was last updated seven months ago with version 1.1.08 metadata visible, though version 1.1.11 is available for download.

Site administrators running affected versions should update to 1.1.11 immediately. For sites unable to update immediately, security firms including Managed-WP and WP-Firewall have published virtual patching rules for their web application firewall products to block exploitation attempts.

Sites that cannot update and lack WAF protection should disable or remove the plugin entirely until patches can be applied. Standard WordPress security hardening — including limiting login attempts, implementing two-factor authentication, and monitoring for suspicious authentication activity — provides limited protection against this vulnerability since it bypasses authentication mechanisms entirely.

Security teams should audit logs for unusual form notification behavior, unexpected email recipient changes, or suspicious cookie patterns in web server access logs as potential indicators of compromise.

The disclosure highlights the continuing challenge of authentication security in the WordPress plugin ecosystem, where thousands of independent developers implement their own authentication logic with varying degrees of security rigor. As WordPress continues to power over 43% of all websites, plugin vulnerabilities remain a critical attack surface requiring vigilant patch management and security monitoring.