Cross-Site Request Forgery Vulnerability in CformsII Plugin by bgermann
CVE-2026-39436

7.1HIGH

Key Information:

Vendor: WordPress
Status: Cformsii
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-39436?

The CformsII plugin by bgermann is susceptible to Cross-Site Request Forgery (CSRF), which may allow attackers to perform unwanted actions on behalf of authenticated users. This vulnerability can lead to unauthorized access or manipulation of user data. Affected versions include CformsII from n/a through 15.1.3, highlighting the importance of updating to secure versions and implementing adequate security measures to mitigate potential exploits.

Affected Version(s)

CformsII <= 15.1.3

References

https://patchstack.com/database/wordpress/plugin/cforms2/...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Ilay Striechman | Patchstack Bug Bounty Program

CVE-2026-39436 Data

JSON

WordPress

What is CVE-2026-39436?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit