Back to overview

CVE-2026-14956

CRITICAL
9.8
CVSS 3.1
Description
The Bricksforge plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.1.8.6. This is due to improper validation of the fieldIds parameter in the Pro Forms registration action, which allows attacker-supplied field IDs to be added to the trusted form-field whitelist. This makes it possible for unauthenticated attackers to register a new administrator account by submitting a crafted request to a publicly accessible Bricksforge Pro Forms registration form. Successful exploitation requires that the site has a public Bricksforge Pro Forms element configured with the User Registration action.

Metadata

CVE ID
CVE-2026-14956
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-07-07 13:38 UTC
Published
2026-07-17 01:30 UTC
Last updated
2026-07-17 01:30 UTC
Primary CWE
CWE-269
CWE-269 Improper Privilege Management
Vendor / Product
Bricksforge / Bricksforge
Sources
cve.org  ·  NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
Bricksforge Bricksforge 0 ≤ 3.1.8.6
Weakness (CWE)
CWESourceDescription
CWE-269 cna CWE-269 Improper Privilege Management
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.8 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Back to overview