WordPress Plugin Vulnerabilities

Contact Form builder with drag & drop for WordPress – Kali Forms < 2.3.42 - Missing Authorization

Description

The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized access and modification of data via API due to an inconsistent capability check on several REST endpoints in all versions up to, and including, 2.3.41. This makes it possible for authenticated attackers, with contributor access and higher, to obtain access to or modify forms or entries.

Affects Plugins

Plugin icon
kali-forms
Fixed in 2.3.42

References

CVE
CVE-2024-1218
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ed1aae32-6040-4c42-b8a7-4c3be371a8c0

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
1ed625a0-4922-480d-8257-67f8e85d2a0a

Timeline

Publicly Published
2024-02-19 (about 2 years ago)
Added
2024-02-19 (about 2 years ago)
Last Updated
2024-02-19 (about 2 years ago)

Other

Published
Title
Published
2024-06-06
Title
Extra Product Options for WooCommerce < 3.0.7 - Missing Authorization
Published
2025-09-22
Title
Classic Widgets with Block-based Widgets <= 1.0.1 - Missing Authorization
Published
2024-12-18
Title
Computer Repair Shop < 3.8120 - Authenticated (Customer+) Privilege Esclation via Account Takeover
Published
2025-11-17
Title
Live sales notification for WooCommerce < 2.3.40 - Missing Authorization to Unauthenticated Customer Data Exposure
Published
2026-01-22
Title
Final User <= 1.2.5 - Missing Authorization