WordPress Form Notify Plugin: Critical Authentication Bypass (CVE-2026-5229)

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityauthentication-bypasscwe-287
WordPress Form Notify Plugin: Critical Authentication Bypass (CVE-2026-5229)

A critical authentication bypass vulnerability, identified as CVE-2026-5229, has been reported in the Form Notify plugin for WordPress, affecting versions up to and including 1.1.10. According to the National Vulnerability Database, this flaw stems from the plugin’s reliance on user-controlled cookie data for authentication after a LINE OAuth login. Specifically, when LINE fails to provide an email address — a common occurrence — the plugin insecurely defaults to reading the form_notify_line_email cookie value without verifying its association with the LINE account.

This design flaw creates a dangerous avenue for unauthenticated attackers. They can exploit it by initiating a LINE OAuth flow with their own account while simultaneously injecting a malicious cookie containing a target victim’s email address. The National Vulnerability Database rates this vulnerability with a CVSS score of 9.8 (CRITICAL), highlighting the severe risk. Successful exploitation grants attackers unauthorized access to any user account on the affected WordPress site, including those with administrator privileges.

For defenders, this is a clear and present danger. The attacker’s calculus is straightforward: leverage a common OAuth fallback mechanism to achieve full account takeover with minimal effort. This isn’t theoretical; it’s a direct path to compromise for any WordPress site running the vulnerable Form Notify plugin. The implications for data integrity, confidentiality, and overall site security are profound, making immediate action imperative.

What This Means For You

  • If your organization uses the Form Notify plugin for WordPress, you must immediately check your installed version. Any version up to and including 1.1.10 is vulnerable to CVE-2026-5229. Patch or disable this plugin without delay to prevent unauthenticated attackers from gaining administrator access to your site. Audit logs for suspicious LINE OAuth logins if you've been running a vulnerable version.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Abuse Elevation Control Mechanism: Sudo and Sudo Configuration Persistence

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

WordPress Form Notify Plugin Authentication Bypass via LINE OAuth Cookie - CVE-2026-5229

Sigma YAML — free preview 
title: WordPress Form Notify Plugin Authentication Bypass via LINE OAuth Cookie - CVE-2026-5229
id: scw-2026-05-15-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-5229 by observing web server requests that attempt to leverage the LINE OAuth flow for authentication bypass. Specifically, this rule looks for POST requests to wp-login.php that originate from a LINE domain and contain the 'form_notify_line_email' parameter in the query string, indicating a potential attempt to inject a malicious cookie to impersonate a user.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-5229/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-login.php'
      cs-method:
          - 'POST'
      referer|contains:
          - 'line.me'
      cs-uri-query|contains:
          - 'form_notify_line_email='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-5229 Auth Bypass Form Notify plugin for WordPress versions <= 1.1.10
CVE-2026-5229 Auth Bypass Vulnerable component: LINE OAuth login process
CVE-2026-5229 Auth Bypass Vulnerable mechanism: Trusting user-controlled 'form_notify_line_email' cookie data without verification

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 15, 2026 at 12:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-41971 — Permission control vulnerability in the security control

CVE-2026-41971 — Permission control vulnerability in the security control module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

vulnerabilityCVEmedium-severitycwe-840
/SCW Vulnerability Desk /MEDIUM /5.5 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-41970 — Out-of-Bounds $1

CVE-2026-41970 — Out-of-bounds write vulnerability in the distributed file system module. Impact: Successful exploitation of this vulnerability may affect availability.

vulnerabilityCVEmedium-severityout-of-bounds-1cwe-787
/SCW Vulnerability Desk /MEDIUM /6.8 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-41969 — Permission control vulnerability in the projection module.

CVE-2026-41969 — Permission control vulnerability in the projection module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

vulnerabilityCVEmedium-severitycwe-275
/SCW Vulnerability Desk /MEDIUM /6.2 /⚑ 2 IOCs /⚙ 3 Sigma