WordPress Form Notify Plugin Authentication Bypass via Cookie Manipulation

The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to authenticate after a LINE OAuth login. When LINE doesn't provide an email address (which is common), the plugin falls back to reading the 'form_notify_line_email' cookie value without verifying that the LINE account is associated with that email address. This makes it possible for unauthenticated attackers to gain access to any user account on the site, including administrator accounts, by completing a LINE OAuth flow with their own LINE account while injecting a malicious cookie containing the target victim's email address.

Casky was already ahead

This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

The Form Notify plugin for WordPress versions up to 1.1.10 contains a critical authentication bypass vulnerability (CVSS 9.8) that exploits improper session management during OAuth authentication. When authenticating users through LINE OAuth, the plugin fails to validate that a LINE account is actually associated with the email address provided in user-controlled cookies. Instead of enforcing server-side verification, it trusts the 'form_notify_line_email' cookie value directly—a classic case of CWE-287 (Improper Authentication). This allows attackers to forge cookies and assume the identity of any WordPress user, bypassing all legitimate authentication mechanisms. Organizations using this plugin across their WordPress infrastructure face immediate account takeover risks, with potential impact to admin accounts, sensitive data exposure, and lateral movement within their environments.

Casky's 261 matching security skills, powered by Claude AI's extended reasoning, detect the attack patterns underlying this vulnerability across MITRE ATT&CK techniques TA0004 (Privilege Escalation) and TA0006 (Credential Access). Practitioners using Casky would identify suspicious findings including: abnormal OAuth callback patterns where LINE authentication succeeds but email validation is bypassed; cookie manipulation indicators showing 'form_notify_line_email' values inconsistent with actual LINE account data; and privilege escalation events where low-privileged or unauthenticated users suddenly gain admin-level WordPress access. The platform's skills would flag authentication flows that skip verification steps, detect impossible travel scenarios (authentication from unexpected geographic origins via cookie injection), and correlate cookie-based login attempts with account takeover patterns—enabling security teams to catch exploitation before attackers establish persistent access.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

261 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-5229.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-malicious-url-with-urlscan

phishing defense · medium

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2026-5229

Casky has 261 skills that investigate the attack patterns behind CVE-2026-5229. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn