An authentication bypass vulnerability in the Form Notify plugin for WordPress allows unauthenticated attackers to hijack any user account, including administrator accounts.

This vulnerability occurs because the plugin trusts user-supplied cookie data to determine account identity during LINE OAuth flows. Unauthenticated attackers can manipulate the 'form_notify_line_email' cookie to impersonate any legitimate user.

The ability for an unauthenticated attacker to gain administrative access poses a critical risk to data integrity, confidentiality, and system availability. With a CVSS score of 9.8, this flaw represents a total compromise of the WordPress environment, potentially leading to unauthorized data exfiltration and complete site takeover.

Immediate Action: Update the Form Notify plugin to the latest available version provided by the vendor.

Proactive Monitoring: Review web server access logs for anomalous authentication requests or irregular patterns associated with the LINE OAuth login flow.

Compensating Controls: Implement a Web Application Firewall (WAF) to block suspicious cookie modifications or unauthorized attempts to manipulate authentication parameters.

Public Exploit Available: Unknown

Given the critical CVSS severity of 9.8 and the ease of exploitation, immediate patching is required. Administrators should verify their current version and update the Form Notify plugin immediately to prevent unauthorized administrative access.