CVE-2026-6206

Source
https://cve.org/CVERecord?id=CVE-2026-6206
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6206.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-6206
Published
2026-05-14T08:24:26.532Z
Modified
2026-07-08T08:12:41.256752838Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
MW WP Form <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter
Details

The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the getpostpropertyfrom_querystring() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.

Database specific
{
    "cna_assigner": "Wordfence",
    "cwe_ids": [
        "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6206.json"
}
References

Affected packages

Git / github.com/web-soudan/mw-wp-form

Affected ranges

Type
GIT
Repo
https://github.com/web-soudan/mw-wp-form
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.1.2"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

5.*
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.1.0
5.1.1
5.1.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6206.json"