Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-5229 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-5229 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-5229 is a critical authentication bypass vulnerability in the Form Notify plugin for WordPress, affecting all versions up to and including 1.1.10.

Technical Detail

The flaw exists because the plugin improperly trusts user-controlled cookie data to determine the identity or role of a WordPress user, allowing an unauthenticated attacker to manipulate cookie values and assume an authenticated or privileged session without valid credentials. This type of trust boundary failure enables full authentication bypass, potentially granting an attacker administrative access to the WordPress installation depending on the privilege level the plugin resolves from the tampered cookie. The resulting impact could include unauthorized access to site administration functions, content modification, credential harvesting, or further compromise of the underlying host.

Exploitation Status

No known exploit code has been publicly identified at this time, and this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit, meaning active in-the-wild exploitation has not been confirmed. However, the straightforward nature of cookie manipulation attacks means the barrier to exploitation is low, and the absence of a known exploit should not be treated as an absence of risk.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence sources.

What To Do

WordPress site administrators running Form Notify version 1.1.10 or earlier should update the plugin to the latest available patched version immediately, given the critical CVSS score of 9.8 and the low complexity typically associated with cookie manipulation exploits. If no patched version is yet available, the plugin should be deactivated and removed until a fix is confirmed. Administrators should review server and WordPress access logs for anomalous session activity or unexpected privilege escalation events that could indicate exploitation attempts. Web application firewall rules that inspect and restrict manipulation of authentication-related cookie values may provide partial mitigation while a patch is applied.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →