Smart Forms < 2.6.101 – Missing Authorization to Authenticated (Subscriber+) Campaign Data Exposure | CVE 2026-2022 | Plugin Vulnerabilities

Description

The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednao_smart_forms_get_campaigns' AJAX action in all versions up to, and including, 2.6.100. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve donation campaign data including campaign IDs and names.

Affects Plugins

Fixed in 2.6.101

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/381ec109-ca51-4011-b7e0-aec636540d59

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

lucsob

Verified

No

WPVDB ID

b71a7f5b-3456-44e1-b519-a92c3bb11336

Timeline

Publicly Published

2026-02-13 (about 3 months ago)

Added

2026-02-13 (about 3 months ago)

Last Updated

2026-05-04 (about 9 days ago)

Other

Published

Title

Published

2026-02-13

Title

Chocolate House < 1.1.6 - Missing Authorization

Published

2025-04-16

Title

Zephyr Project Manager < 3.3.201 - Missing Authorization

Published

2024-04-22

Title

Quick Featured Images < 13.7.1 - Missing Authorization to Authenticated (Contributor+) Arbitrary Thumbnail Deletion/Setting

Published

2024-12-17

Title

WPLMS < 1.9.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

Published

2023-07-10

Title

Buy Me a Coffee – Button and Widget Plugin < 3.8 - Subscriber+ Unauthorized Data Modification