Executive Summary
A critical authentication bypass vulnerability (CVE-2026-5229) affects the Form Notify plugin for WordPress in versions up to and including 1.1.10. The vulnerability allows an unauthenticated attacker to log in as any WordPress user, including site administrators, by manipulating user-controlled cookie data during the LINE OAuth authentication flow.
The root cause is the plugin's unconditional trust in session cookie data to resolve the WordPress account to authenticate — without verifying that the cookie-specified account matches the identity confirmed by the LINE OAuth provider. This carries a CVSS score of 9.8 (Critical) and requires no special privileges or account on the target site to exploit.
Sites using Form Notify with LINE OAuth enabled should update to version 1.1.11 or later immediately or disable the LINE login integration until patched.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-5229 |
| CVSS Score | 9.8 (Critical) |
| CWE | CWE-302 — Authentication Bypass by Assumed-Immutable Data |
| Type | Authentication Bypass / Account Takeover |
| Attack Vector | Network |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Scope | Changed |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Patch Available | Yes — version 1.1.11+ |
Affected Versions
| Plugin | Affected Versions | Fixed Version |
|---|---|---|
| Form Notify (WordPress) | <= 1.1.10 (with LINE OAuth login enabled) | 1.1.11 |
Technical Analysis
Root Cause
The Form Notify plugin supports LINE OAuth as a social login method for WordPress sites. After a user completes the OAuth flow, LINE returns the authenticated user's identity. However, when LINE does not return an email address (which can occur based on LINE's API scope settings), the plugin falls back to reading the WordPress account identity from a user-controlled cookie.
The plugin then authenticates the request for whichever WordPress account is named in that cookie — without verifying that account has any relationship to the LINE identity that was actually authenticated. An attacker can:
- Initiate a LINE OAuth flow to obtain a valid OAuth session
- Before or during callback processing, set the session cookie to reference any WordPress user account (e.g., the administrator)
- The plugin completes authentication for the cookie-specified account
This is a classic assumed-immutable data vulnerability: the plugin treats cookie data as authoritative identity even though cookies are fully attacker-controlled.
Attack Flow
1. Attacker identifies a WordPress site running Form Notify <= 1.1.10 with LINE login enabled
2. Attacker creates a LINE account (free, instant)
3. Attacker initiates the LINE OAuth flow on the target site
4. Before completing OAuth callback, attacker sets session cookie:
e.g., form_notify_auth_user = admin (or user ID of administrator)
5. Attacker completes OAuth flow with their own valid LINE token
6. Plugin validates LINE token (passes — it's a valid token for attacker's LINE account)
7. LINE doesn't return email → plugin reads account from cookie → returns "admin"
8. Plugin creates authenticated WordPress session for the administrator account
9. Attacker is now logged in as site administratorExploitation Conditions
- Form Notify plugin version 1.1.10 or earlier must be installed and active
- The LINE Social Login feature must be enabled (configured per site)
- The LINE OAuth scope must not return an email address (depends on configuration; attackers can influence this)
- No prior account on the target WordPress site is required
Impact Assessment
| Impact Area | Description |
|---|---|
| Full Admin Takeover | Attacker can log in as any user including administrators |
| Content Manipulation | Admin access enables modification of any WordPress content |
| Plugin/Theme Backdoors | Admins can install malicious plugins or edit theme PHP files |
| Data Exfiltration | Access to form submissions, user data, and WP database contents |
| Persistent Access | Attacker can create new admin accounts for ongoing control |
| SEO Spam / Defacement | Common post-compromise abuse on WordPress sites |
| Hosting Pivot | Shared hosting compromise can spread to adjacent sites |
Immediate Remediation
Step 1: Update Form Notify to Version 1.1.11 or Later
# Via WP-CLI
wp plugin update form-notify
# Verify version
wp plugin get form-notify --field=version
# Expected: 1.1.11 or higherOr update via the WordPress admin panel: Plugins > Installed Plugins > Form Notify > Update Now.
Step 2: Disable LINE Login if Update Is Delayed
- Navigate to WordPress Admin > Form Notify > Settings
- Locate the LINE Login / Social Login configuration
- Disable or remove LINE OAuth credentials
- Save settings
This removes the exploitable code path until the plugin can be updated.
Step 3: Audit for Compromise
# Check for recently created administrator accounts
wp user list --role=administrator --fields=user_login,user_email,user_registered --format=table
# Look for suspicious recent logins (requires audit plugin or server logs)
wp db query "SELECT user_login, user_email, user_registered FROM wp_users
WHERE user_registered > DATE_SUB(NOW(), INTERVAL 30 DAY)
ORDER BY user_registered DESC;"
# Check for recently modified or unusual plugins
wp plugin list --status=active --format=table
# Search for recently modified PHP files (possible backdoors)
find /var/www/html/wp-content/ -name "*.php" -newer /var/www/html/wp-login.php -type f 2>/dev/nullStep 4: Harden WordPress Post-Remediation
# Force password reset for all admin accounts
wp user list --role=administrator --format=ids | xargs -I {} wp user update {} --user_pass="$(openssl rand -base64 24)"
# Invalidate all active sessions
wp db query "DELETE FROM wp_usermeta WHERE meta_key = 'session_tokens';"
# Regenerate secret keys
wp config shuffle-saltsDetection Indicators
| Indicator | Description |
|---|---|
| New admin accounts created during vulnerability window | Attacker persistence |
| Login events with LINE OAuth for existing admin emails | Exploitation attempt |
| Cookie with manipulated user ID in access logs | Pre-exploitation recon or active attack |
| Unexpected plugin installations or theme modifications | Post-compromise activity |
| Unusual admin logins from unfamiliar IPs/ASNs | Active account takeover |
Post-Remediation Checklist
- Update Form Notify to version 1.1.11 or later
- Disable LINE login if immediate update is not possible
- Audit administrator accounts — remove any unauthorized entries
- Reset all admin passwords and regenerate WordPress secret keys
- Invalidate all sessions to force full re-authentication
- Scan for webshells in wp-content/ directory
- Review server access logs for exploitation evidence
- Enable two-factor authentication on all admin accounts
- Consider a WAF (Wordfence, Sucuri) with WordPress-specific rules
- Monitor for re-exploitation for 30 days