{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5229/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-5229"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Form Notify \u003c= 1.1.10"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","wordpress","plugin","CVE-2026-5229"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Form Notify plugin for WordPress is vulnerable to an authentication bypass vulnerability, identified as CVE-2026-5229, in versions up to and including 1.1.10. The vulnerability stems from the plugin\u0026rsquo;s flawed logic in handling LINE OAuth logins. Specifically, when LINE does not provide an email address for a user, the plugin relies on the \u0026lsquo;form_notify_line_email\u0026rsquo; cookie to determine the WordPress account to authenticate. The plugin fails to validate that the LINE account is actually associated with the email address provided in the cookie, enabling attackers to forge the cookie value. This makes it possible for an unauthenticated attacker to gain access to any user account on the WordPress site, including those with administrator privileges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a WordPress site using a vulnerable version (\u0026lt;= 1.1.10) of the Form Notify plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a LINE OAuth account.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a LINE OAuth login flow on the target WordPress site.\u003c/li\u003e\n\u003cli\u003eThe LINE OAuth flow does not provide an email address (this is a common scenario).\u003c/li\u003e\n\u003cli\u003eBefore completing the login, the attacker injects a malicious \u0026lsquo;form_notify_line_email\u0026rsquo; cookie into their browser session, setting the value to the email address of the target victim\u0026rsquo;s WordPress account (e.g., the administrator\u0026rsquo;s email).\u003c/li\u003e\n\u003cli\u003eThe attacker completes the LINE OAuth login process on the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe Form Notify plugin reads the \u0026lsquo;form_notify_line_email\u0026rsquo; cookie and, without proper verification, authenticates the attacker as the victim user.\u003c/li\u003e\n\u003cli\u003eThe attacker now has full access to the victim\u0026rsquo;s WordPress account, potentially gaining administrative control of the entire site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5229 allows unauthenticated attackers to bypass authentication and gain unauthorized access to WordPress accounts, including administrator accounts. This can lead to complete compromise of the WordPress site, including data theft, defacement, malware injection, and denial of service. The severity is high due to the ease of exploitation and the potential for widespread impact, particularly on sites relying on the Form Notify plugin for critical functionality.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade Form Notify plugin to a version greater than 1.1.10 to remediate CVE-2026-5229.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WordPress Form Notify Authentication Bypass via Malicious Cookie\u003c/code\u003e to your SIEM to detect potential exploitation attempts (see below).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests with manipulated \u003ccode\u003eform_notify_line_email\u003c/code\u003e cookies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T09:18:37Z","date_published":"2026-05-15T09:18:37Z","id":"https://feed.craftedsignal.io/briefs/2026-05-form-notify-auth-bypass/","summary":"The Form Notify plugin for WordPress is vulnerable to CVE-2026-5229, an authentication bypass, due to trusting user-controlled cookie data after a LINE OAuth login, allowing unauthenticated attackers to gain administrative access.","title":"WordPress Form Notify Plugin Authentication Bypass Vulnerability (CVE-2026-5229)","url":"https://feed.craftedsignal.io/briefs/2026-05-form-notify-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-5229","version":"https://jsonfeed.org/version/1.1"}