{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2022", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-05T20:32:26.267Z", "datePublished": "2026-02-14T06:42:27.519Z", "dateUpdated": "2026-04-08T16:46:27.378Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:27.378Z"}, "affected": [{"vendor": "edgarrojas", "product": "Smart Forms \u2013 when you need more than just a contact form", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.6.99", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednao_smart_forms_get_campaigns' AJAX action in all versions up to, and including, 2.6.99. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve donation campaign data including campaign IDs and names."}], "title": "Smart Forms <= 2.6.99 - Missing Authorization to Authenticated (Subscriber+) Campaign Data Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/381ec109-ca51-4011-b7e0-aec636540d59?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-forms/trunk/integration/smart-donations-integration-ajax.php#L3"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-forms/trunk/smartforms.php#L90"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lukasz Sobanski"}], "timeline": [{"time": "2026-02-13T18:31:39.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T15:36:47.026168Z", "id": "CVE-2026-2022", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:47:27.057Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2022", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T15:36:47.026168Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:36:47.783Z"}}], "cna": {"title": "Smart Forms <= 2.6.99 - Missing Authorization to Authenticated (Subscriber+) Campaign Data Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Lukasz Sobanski"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "edgarrojas", "product": "Smart Forms \u2013 when you need more than just a contact form", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.6.99"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T18:31:39.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/381ec109-ca51-4011-b7e0-aec636540d59?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-forms/trunk/integration/smart-donations-integration-ajax.php#L3"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-forms/trunk/smartforms.php#L90"}], "descriptions": [{"lang": "en", "value": "The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednao_smart_forms_get_campaigns' AJAX action in all versions up to, and including, 2.6.99. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve donation campaign data including campaign IDs and names."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:27.378Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2022", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:46:27.378Z", "dateReserved": "2026-02-05T20:32:26.267Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-14T06:42:27.519Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednao_smart_forms_get_campaigns' AJAX action in all versions up to, and including, 2.6.99. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve donation campaign data including campaign IDs and names."}, {"lang": "es", "value": "El plugin Smart Forms para WordPress es vulnerable a acceso no autorizado de datos debido a una comprobaci\u00f3n de capacidad ausente en la acci\u00f3n AJAX 'rednao_smart_forms_get_campaigns' en todas las versiones hasta la 2.6.99, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, recuperen datos de campa\u00f1as de donaci\u00f3n, incluyendo IDs y nombres de campa\u00f1as."}], "id": "CVE-2026-2022", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-14T07:16:12.847", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/smart-forms/trunk/integration/smart-donations-integration-ajax.php#L3"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/smart-forms/trunk/smartforms.php#L90"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/381ec109-ca51-4011-b7e0-aec636540d59?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.99]"}}], "product": "smart_forms_\u2013_when_you_need_more_than_just_a_contact_form", "vendor": "edgarrojas"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:39:09.037817+00:00", "value": {"mitigation_remediation": ["Upgrade Smart Forms to a version newer than 2.6.99, where the capability check has been added.", "If an immediate upgrade is not possible, reduce the Subscriber role\u2019s permissions or disable the 'rednao_smart_forms_get_campaigns' AJAX endpoint to prevent access for non\u2011admin users.", "Temporarily disable the 'rednao_smart_forms_get_campaigns' AJAX action by customizing the plugin or using a custom code snippet that intercepts the action and returns wp_die() for non\u2011admin callers."], "summary": {"action": "Update Plugin", "impact": "Unauthorized Retrieval of Campaign Data"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Smart Forms plugin produced by edgarrojas, version 2.6.99 and earlier. In a WordPress environment, any installation of this plugin, regardless of theme or other plugins, is susceptible. Users of version 2.6.99 or any older build are exposed.", "description_and_impact": "The Smart Forms plugin for WordPress suffers from a missing capability check on the 'rednao_smart_forms_get_campaigns' AJAX action. As a result, authenticated users with Subscriber-level access and higher can invoke this endpoint and retrieve donation campaign data, including campaign IDs and names. This leads to sensitive campaign information exposure but does not grant further privileges or system compromise.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a medium risk, mainly due to the lack of authorization checks. The EPSS score is below 1%, implying that exploitation is unlikely or not widely observed; the vulnerability is not present in the CISA KEV catalog. Attackers need only a valid Subscriber account, which is a common role in many WordPress installations. Because the attack originates from within an authenticated session, the likelihood of a successful exploit depends on the presence of vulnerable users and access to the backend. Nonetheless, administrators should consider this a low\u2011to\u2011moderate risk that warrants an update."}}}}, "created": "2026-02-16T12:03:07.801221+00:00", "updated": "2026-04-15T20:45:06.386287+00:00", "vendors": ["edgarrojas", "edgarrojas$PRODUCT$smart_forms_\u2013_when_you_need_more_than_just_a_contact_form", "wordpress", "wordpress$PRODUCT$wordpress"]}