WordPress Plugin Vulnerabilities

Piotnet Forms < 1.0.30 - Missing Authorization via multiple AJAX actions

Description

The plugin is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple AJAX functions, allowing unauthenticated attackers to save draft posts and download arbitrary JSON files from the server.

Affects Plugins

Plugin icon
piotnetforms
Fixed in 1.0.30

References

CVE
CVE-2023-51413
URL
https://patchstack.com/database/vulnerability/piotnetforms/wordpress-piotnet-forms-plugin-1-0-25-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
16e35e2b-a1a9-41d0-9a87-8e70385bfa0a

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-03 (about 2 years ago)
Last Updated
2024-02-22 (about 2 years ago)

Other

Published
Title
Published
2025-11-21
Title
CP Contact Form with PayPal < 1.3.57 - Missing Authorization to Unauthenticated Arbitrary Payment Confirmation
Published
2022-06-02
Title
HTML2WP <= 1.0.0 - Subscriber+ Arbitrary File Deletion
Published
2025-04-01
Title
Insert Headers and Footers Code – HT Script < 1.1.3 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update
Published
2024-11-22
Title
Product Table for WooCommerce by CodeAstrology (wooproducttable.com) < 3.5.2 - Information Exposure
Published
2023-11-03
Title
Animated Rotating Words < 5.5 - Cross-Site Request Forgery via save_admin_options