CVE-2026-5229 Overview
CVE-2026-5229 is an authentication bypass vulnerability in the Form Notify plugin for WordPress, affecting versions up to and including 1.1.10. The plugin trusts user-controlled cookie data when determining which WordPress account to authenticate after a LINE OAuth login. When LINE does not return an email address, the plugin falls back to reading the form_notify_line_email cookie without verifying that the LINE account is associated with that email. Unauthenticated attackers can complete a LINE OAuth flow with their own LINE account while injecting a cookie containing a victim's email address, gaining access to that user's WordPress account, including administrator accounts. The flaw is classified under [CWE-287] Improper Authentication.
Critical Impact
Unauthenticated attackers can take over any WordPress account, including administrators, by injecting a cookie during the LINE OAuth flow.
Affected Products
- Form Notify plugin for WordPress, versions up to and including 1.1.10
- Fixed in Form Notify version 1.1.10 (cookie fallback removal) with additional hardening in 1.1.11
- WordPress sites configured with LINE Login via the Form Notify plugin
Discovery Timeline
- 2026-05-15 - CVE CVE-2026-5229 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-5229
Vulnerability Analysis
The vulnerability resides in the LINE OAuth login flow implemented in src/APIs/Line/Login/Route.php and src/APIs/Line/Login/User.php. After a successful LINE OAuth callback, the plugin attempts to associate the LINE identity with a WordPress account using an email address. LINE OAuth frequently omits the email field from the userinfo response. In that case, the plugin reads the form_notify_line_email cookie set on the client and uses its value as the lookup key for get_user_by('email', ...). No cryptographic binding exists between the LINE account presented and the email value read from the cookie.
An attacker initiates the LINE OAuth flow from their own browser using their own LINE account. Before the callback is processed, the attacker overwrites the form_notify_line_email cookie with the email of any registered WordPress user, including an administrator. The plugin then logs the attacker into the victim's account, granting full session privileges. Exploitation is unauthenticated, requires no user interaction beyond the attacker's own OAuth flow, and is reachable over the network.
Root Cause
The root cause is trust placed in client-controlled state to drive an authentication decision. The plugin treats a cookie value as an authoritative identifier instead of binding the WordPress account to a verified LINE user ID returned by the identity provider.
Attack Vector
The attack is remote and pre-authentication. The attacker only needs a valid LINE account, the target site's LINE login URL, and the email address of the victim account.
// Patch reference: form-notify.php version bump removing cookie-based email fallback
* Plugin Name: FormNotify
* Plugin URI: https://oberonlai.blog/form-notify
* Description: Notification for WordPress form plugins.
- * Version: 1.1.09
+ * Version: 1.1.10
* Author: Daily WPdev.
Source: GitHub commit 5eab0ea. The accompanying code change removes the form_notify_line_email cookie fallback in src/APIs/Line/Login/User.php around lines 53 and 72, and the route handler in src/APIs/Line/Login/Route.php lines 116-118.
Detection Methods for CVE-2026-5229
Indicators of Compromise
- Unexpected administrator or privileged user logins originating from the LINE OAuth callback endpoint registered by the Form Notify plugin.
- HTTP requests to the LINE login callback that include a form_notify_line_email cookie whose value does not match the email returned by the LINE userinfo response.
- Newly issued WordPress session cookies for administrator accounts immediately following a /wp-json/ or LINE OAuth callback request from an unfamiliar IP address.
Detection Strategies
- Inspect web server access logs for requests to the Form Notify LINE login callback and correlate them with wp_login events for high-privilege users.
- Audit installed Form Notify plugin versions across managed WordPress sites and flag any instance running version 1.1.10 or earlier.
- Enable WordPress authentication logging plugins or SIEM ingestion of wp_login and wp_login_failed actions to identify anomalous login patterns tied to LINE OAuth.
Monitoring Recommendations
- Forward WordPress authentication and plugin update logs to a centralized SIEM and alert on administrator logins via the LINE OAuth handler.
- Monitor for cookie tampering by recording Cookie headers on the LINE callback endpoint and alerting when form_notify_line_email is present alongside an authenticated session change.
- Track outbound HTTP traffic from the WordPress host to LINE OAuth endpoints to baseline normal activity and surface anomalies.
How to Mitigate CVE-2026-5229
Immediate Actions Required
- Update the Form Notify plugin to version 1.1.11 or later on every WordPress site where it is installed.
- Force a password reset and invalidate active sessions for all administrator and privileged accounts on affected sites.
- Review user lists for unauthorized accounts and audit recent administrative changes, including new plugins, themes, and option modifications.
Patch Information
The vendor released version 1.1.10, which removes the cookie-based email fallback in the LINE login flow, and version 1.1.11, which adds broader security hardening. Reference commits: GitHub commit 5eab0ea and GitHub commit 9780764. Additional details are available in the Wordfence Vulnerability Report and the WordPress Plugin Changeset.
Workarounds
- Deactivate the Form Notify plugin until the site can be upgraded to a fixed version.
- Disable the LINE Login feature within the plugin configuration if deactivation is not possible.
- Use a web application firewall rule to strip or block the form_notify_line_email cookie on requests to the LINE OAuth callback endpoint.
# Update the Form Notify plugin via WP-CLI to the patched release
wp plugin update form-notify --version=1.1.11
wp plugin list --name=form-notify --fields=name,status,version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
