External risk intelligence

WordPress plugin lets attackers take over any user account

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-5229

A critical flaw in the WordPress Form Notify plugin lets anyone steal any account, even administrator ones, by tricking the login process. This impacts widely used websites and requires immediate attention.

4Halo Surface Signal

Authentication Bypass

External exposure likelihood

Halo Surface Signal score for CVE-2026-5229

The vulnerability affects the authentication service of a WordPress plugin. WordPress is a content management system commonly deployed as an internet-facing web application, and its authentication portals and login features are generally accessible to the public internet, placing this attack surface in a location where it is frequently reachable in real-world deployments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

The Form Notify plugin for WordPress has a critical vulnerability that allows unauthenticated attackers to bypass login procedures. This issue arises from how the plugin handles user data during LINE OAuth logins, potentially letting attackers impersonate any user on the site.

  • Attackers can gain admin access.
  • Any website using this plugin is at risk.
  • This allows full account takeover.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can compromise any WordPress account by exploiting how the Form Notify plugin handles LINE OAuth logins when an email is missing. By initiating a LINE login and injecting a malicious cookie with a target user's email, the attacker can impersonate that user, including gaining administrator privileges.

  • Target WordPress sites with plugin.
  • Abuse LINE OAuth fallback.
  • Inject victim's email cookie.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated attackers to bypass authentication and gain access to any user account, including administrators, by exploiting how the Form Notify plugin handles LINE OAuth logins. Attackers can inject a malicious cookie to impersonate a target user, especially when LINE does not provide an email address, which is a common scenario.

  • No evidence of active exploitation.
  • No public exploit available.
  • Vulnerability affects authentication.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate patching of the Form Notify WordPress plugin to version 1.1.11 or later to address the authentication bypass vulnerability. If patching is not immediately feasible, isolate affected WordPress instances from public access or disable the LINE OAuth login functionality within the plugin until mitigation can be applied. Continuous monitoring for unauthorized account access or suspicious activity is crucial.

  • Update Form Notify plugin to 1.1.11.
  • Disable LINE OAuth or isolate services.
  • Monitor for account takeovers.

Frequently asked questions

What is the Form Notify plugin for WordPress?

The Form Notify plugin is an add-on for WordPress websites that facilitates user authentication through LINE's OAuth service. It allows users to log into a WordPress site using their LINE accounts.

What is CVE-2026-5229 in the Form Notify plugin?

CVE-2026-5229 is an authentication bypass vulnerability. It happens when the plugin incorrectly trusts cookie data after a LINE OAuth login, especially when LINE doesn't provide an email, allowing attackers to impersonate any user.

How can an attacker exploit this vulnerability?

An attacker can exploit this by initiating a LINE OAuth login and injecting a crafted cookie containing the email address of a target user. This bypasses normal authentication checks, allowing the attacker to access the target account.

Who should care about this vulnerability based on Halo Surface Signal?

Organizations running WordPress sites with the Form Notify plugin that are internet-facing should care. This is because the vulnerability affects authentication, a feature typically accessible on the public internet.

What's the first step to respond to this threat?

The immediate first step is to update the Form Notify plugin to version 1.1.11 or later. If an update isn't possible, consider disabling the LINE OAuth login feature within the plugin until you can patch.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished