Information Exposure Vulnerability in WP Forms Connector Plugin by WordPress
CVE-2026-9178

7.5HIGH

Key Information:

Vendor: WordPress
Status: WP Forms Connector
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-9178?

The WP Forms Connector plugin for WordPress contains a vulnerability that allows unauthenticated attackers to exploit the REST route wp/v3/user/list/. Due to the permission callback being set to '__return_true', any attacker can leverage a valid administrator username, such as 'admin', to generate a request inclusive of an arbitrary password value. This flaw allows access to sensitive information, including the WordPress password hash and email addresses of registered users, effectively exposing user data without proper authentication checks.

Affected Version(s)

WP Forms Connector 0 <= 1.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-forms-conne...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
May 21, 2026

Credit

jamaal

CVE-2026-9178 Data

JSON