CVE-2026-6206— MW WP Form <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter
Possible ATT&CK Techniques 1AI
T1005 · Data from Local SystemAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| websoudan | MW WP Form | ≤ 5.1.2 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-6206
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
MW WP Form <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter
Source: NVD (National Vulnerability Database)
Vulnerability Description
The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the _get_post_property_from_querystring() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| websoudan | MW WP Form | 0 ~ 5.1.2 | - |
II. Public POCs for CVE-2026-6206
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-6206
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: MW WP Form
- CVE-2026-5436
MW WP Form <= 5.1.1 - Unauthenticated Arbitrary File Move vi - CVE-2026-4347
MW WP Form <= 5.1.0 - Unauthenticated Arbitrary File Move vi - CVE-2023-46206
WordPress MW WP Form plugin <= 4.4.5 - Broken Access Control - CVE-2024-24804
WordPress MW WP Form Plugin <= 5.0.6 is vulnerable to Cross - CVE-2023-6316
MW WP Form <= 5.0.1 - Unauthenticated Arbitrary File Upload
Same weakness: CWE-639
- CVE-2026-45666
Open WebUI: Indirect Object Reference (IDOR) in user notes - CVE-2026-44570
Open WebUI: Inconsistent authorization controls within memor - CVE-2026-45402
Open WebUI: Cross-User File Access via Unchecked file_id in - CVE-2026-45386
Open WebUI: An IDOR vulnerability exists in the pin_channel_ - CVE-2026-45398
Open WebUI: IDOR - Retrieval API Bypasses Knowledge Base Acc
V. Comments for CVE-2026-6206
No comments yet