CVE-2026-14956
Bricksforge · Bricksforge
The Bricksforge WordPress plugin contains a privilege escalation vulnerability in the Pro Forms component, allowing unauthenticated attackers to register new administrator accounts.
Executive summary
A critical privilege escalation vulnerability in the Bricksforge WordPress plugin allows unauthenticated attackers to create unauthorized administrative accounts, posing a severe risk of total site compromise.
Vulnerability
This flaw stems from improper validation of the fieldIds parameter within the Pro Forms registration action. An unauthenticated attacker can manipulate this parameter to inject unauthorized field IDs into the registration process, successfully creating an account with administrative privileges.
Business impact
The ability for an unauthenticated user to elevate their privileges to administrator level grants them full control over the WordPress installation. This leads to complete data exfiltration, unauthorized content modification, and potential malware distribution. With a CVSS score of 9.8, this vulnerability represents a critical threat to business continuity and data integrity.
Remediation
Immediate Action: Update the Bricksforge plugin to the latest available version immediately to patch the validation logic flaw.
Proactive Monitoring: Review user account creation logs for suspicious or unauthorized administrator registrations.
Compensating Controls: Disable public-facing Pro Forms registration elements until the patch has been applied to prevent exploitation.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the critical nature of this privilege escalation vulnerability, administrators must prioritize updating the Bricksforge plugin. Immediate action is required to prevent unauthorized access and potential full system takeover.