Summary
CVE-2026-14956 is a critical unauthenticated privilege escalation vulnerability in the Bricksforge plugin for WordPress, affecting all versions up to and including 3.1.8.6. By submitting a specially crafted request to a publicly accessible Bricksforge Pro Forms registration form, an unauthenticated remote attacker can register a new WordPress administrator account, resulting in full site compromise. This vulnerability carries a CVSS v3.1 base score of 9.8 (Critical).
Technical details
- Root cause: The Pro Forms User Registration action fails to properly validate the
fieldIdsparameter, allowing attacker-supplied field IDs to be injected into the plugin’s trusted form-field whitelist without authorization. - Trigger condition: The target WordPress site must have a publicly accessible Bricksforge Pro Forms element configured with the User Registration action enabled.
- Attack vector: A remote, unauthenticated attacker sends a crafted HTTP request to the exposed Pro Forms registration endpoint, manipulating the
fieldIdsparameter to bypass the intended whitelist validation and register a new account with WordPress administrator privileges. - Impact: Full site takeover — the attacker-controlled administrator account can be leveraged to install malicious plugins, upload PHP webshells, modify theme code, and exfiltrate sensitive data stored in the WordPress database.
Affected software
- Bricksforge plugin for WordPress, all versions up to and including 3.1.8.6
Severity
- CVSS v3.1 Base Score: 9.8 (Critical)
- Vector string:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Mitigation and recommended actions
- No patched version has been confirmed at the time of publication (2026-07-17). Monitor the official Bricksforge changelog at bricksforge.io/version-changelog/ for a security release and apply it immediately upon availability.
- Immediate workaround: Audit all WordPress sites running Bricksforge and disable or unpublish any Pro Forms elements configured with the User Registration action on publicly accessible pages until an official patch is available.
- Sites that do not use the Pro Forms User Registration action are not directly exploitable via this vulnerability path, but upgrading once a patch is released remains strongly recommended.
IONIX Status
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

