The Forms Rb plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to read form submission records, modify form configuration options, and delete records belonging to any form they do not own.
| Score | Percentile |
|---|---|
| 0.04% | 10.94% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 4.3 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-qpp8-c46f-8gpc ↗ |
| CVE | CVE-2026-7050 ↗ |
| CWE id | Name |
|---|---|
| CWE-862 | Missing Authorization |