WordPress Plugin Vulnerabilities
Advanced Form Integration < 2.1.1 - Unauthenticated Privilege Escalation via Breakdance Form Role Mapping
Description
The plugin does not restrict the WordPress role assigned when it creates a user from a public form submission, allowing unauthenticated visitors to create an administrator account when an active integration maps the user role to a public form field. This requires a specific, non-default multi-plugin configuration.
Proof of Concept
Affects Plugins
References
CVE
Classification
Type
PRIVESC
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Khaled Alenazi (Nxploited)
Submitter
Khaled Alenazi (Nxploited)
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-06-10 (about 21 days ago)
Added
2026-06-10 (about 20 days ago)
Last Updated
2026-06-30 (about 9 hours ago)