CVE-2026-1729

CRITICAL

AdForest theme <6.0.12 - Auth Bypass

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-1729. PoCs published by XiaomingX, ninjazan420.

AI-analyzed exploit summary The repository contains a functional SQL injection exploit for CVE-2025-10042, targeting WordPress Quiz Maker plugin versions <= 6.7.0.56. The exploit uses time-based blind SQLi to extract admin credentials and hashes.

Description

The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.0.12. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the 'sb_login_user_with_otp_fun' function. This makes it possible for unauthenticated attackers to log in as arbitrary users, including administrators.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-1729

View Code ZIP pw:eip

The repository contains a functional SQL injection exploit for CVE-2025-10042, targeting WordPress Quiz Maker plugin versions <= 6.7.0.56. The exploit uses time-based blind SQLi to extract admin credentials and hashes.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Quiz Maker <= 6.7.0.56

No auth needed

Prerequisites: target WordPress URL · path to quiz page · vulnerable header for injection

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 1 stars

by ninjazan420 · poc

https://github.com/ninjazan420/CVE-2026-1729-PoC-AdForest-WordPress-Authentication-Bypass

View Code ZIP pw:eip

This is a functional PoC for CVE-2026-1729, an authentication bypass vulnerability in the AdForest WordPress theme. It exploits a flawed OTP validation mechanism to gain admin access without credentials.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: AdForest WordPress Theme (vulnerable versions)

No auth needed

Prerequisites: Target must have AdForest theme installed · Target must be running a vulnerable version of the theme · No WAF/security plugins blocking the request

MITRE ATT&CK

T1110.001 - Password Guessing T1552.001 - Credentials In Files

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources

https://themeforest.net/item/adforest-classified-wordpress-theme/19481695

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/34fd42cb-3868-4b1c-bc56-575faf01e8f3?source=cve

Scores

CVSS v3 9.8

EPSS 0.0013

EPSS Percentile 32.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-306

Status published

Products (1)

scriptsbundle/AdForest < 6.0.12

Published Feb 12, 2026

Tracked Since Feb 18, 2026