Authentication Bypass Vulnerability in Form Notify Plugin for WordPress
CVE-2026-5229

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Receive Notifications After Form Submitting – Form Notify For Any Forms
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-5229?

The Form Notify plugin for WordPress is susceptible to an authentication bypass vulnerability that affects versions up to 1.1.10. This flaw arises from the plugin's reliance on user-controlled cookie data to authenticate accounts post-LINE OAuth login. Particularly, when LINE fails to return an email address, the plugin falls back on the 'form_notify_line_email' cookie without confirming any association between the provided email and the LINE account. This reliance enables attackers to exploit this weakness, gaining unauthorized access to user accounts, including those with administrative privileges, by completing the LINE OAuth process while injecting a malicious cookie containing a targeted victim's email address.

Affected Version(s)

Receive Notifications After Form Submitting – Form Notify for Any Forms 0 <= 1.1.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/form-notify/tr...

https://plugins.trac.wordpress.org/browser/form-notify/ta...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
Mar 31, 2026

Credit

Nabil Irawan

CVE-2026-5229 Data

JSON