WordPress Plugin Vulnerabilities

Forminator Forms – Contact Form, Payment Form & Custom Form Builder < 1.36.0 - Missing Authorization to Authenticated (Contributor+) Form Update and Creation

Description

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.35.1. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to create new or edit existing forms, including updating the default registration role to Administrator on User Registration forms.

Affects Plugins

Plugin icon
forminator
Fixed in 1.36.0

References

CVE
CVE-2024-10402
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/be1d9d2b-cbdf-4d62-85fe-2616eaf02848

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.5 (high)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
0ebbb1ce-8cae-494f-98a5-50060d7b2bf4

Timeline

Publicly Published
2024-10-25 (about 1 year ago)
Added
2024-10-29 (about 1 year ago)
Last Updated
2024-10-29 (about 1 year ago)

Other

Published
Title
Published
2023-07-26
Title
InstaWP Connect < 0.0.9.19 - Unauthenticated Data Modification
Published
2026-02-07
Title
Shopwell < 1.0.12 - Missing Authorization
Published
2024-10-10
Title
Linkz.ai < 1.2.0 - Subscriber+ Plugin Settings Update
Published
2026-02-17
Title
ShopLentor < 3.3.3 - Unauthenticated Email Relay Abuse
Published
2026-02-17
Title
Taskbuilder < 5.0.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Project/Task Comment Creation