The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a user from a public form submission, allowing unauthenticated visitors to create an administrator account when an active integration maps the user role to a public form field. This requires a specific, non-default multi-Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 configuration.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The Advanced Form Integration plugin for WordPress contains a critical privilege escalation vulnerability that permits unauthenticated users to create administrator accounts through public form submissions. When the plugin is configured with integrations that map user roles to form fields, attackers can submit forms with elevated role values (such as 'administrator') without authentication restrictions. This vulnerability affects WordPress sites using versions of the plugin before 2.1.1 with specific multi-integration configurations, potentially allowing complete site compromise through account takeover and administrative access. The high CVSS score of 8.1 reflects the ease of exploitation and severe impact—any public-facing form could become an admin account factory.
While this vulnerability doesn't currently map to traditional MITRE ATT&CK techniques in standard databases, Casky's Claude-powered analysis would detect attack patterns associated with Account Manipulation (T1098) and Privilege Escalation (T1548) by monitoring form submission logs and user creation events. Practitioners using Casky would observe anomalous user registration patterns—specifically, rapid or unusual creation of administrator-level accounts from public form endpoints, mismatches between submitted form field values and actual user role assignments, and authentication bypasses on account creation workflows. Extended reasoning across Casky's 754 security skills would flag the absence of role validation controls, insufficient input sanitization on privilege-escalation fields, and missing authentication checks on user provisioning logic as the root causes requiring immediate remediation through plugin updates.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-11794. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation