WordPress Plugin Vulnerabilities

ApplyOnline – Application Form Builder and Manager < 2.6.7.2 - Missing Authorization

Description

The ApplyOnline – Application Form Builder and Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the template_form_callback() function in versions up to, and including, 2.6.7.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to render templates.

Affects Plugins

Plugin icon
apply-online
Fixed in 2.6.7.2

References

CVE
CVE-2025-22721
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e23739b7-be36-441d-9b73-f51a0184a465

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
233bbb88-ba72-4c4f-8941-df8b97a18cff

Timeline

Publicly Published
2025-01-15 (about 1 year ago)
Added
2025-01-21 (about 1 year ago)
Last Updated
2025-01-21 (about 1 year ago)

Other

Published
Title
Published
2024-12-02
Title
FloristPress < 7.4.0 - Missing Authorization to Sensitive Data Exposure
Published
2026-01-19
Title
Simple Membership < 4.7.0 - Missing Authorization
Published
2024-08-28
Title
Blockbooster < 1.0.11 - Missing Authorization
Published
2025-01-24
Title
People Lists < 2.0.0 - Missing Authorization
Published
2025-02-22
Title
Essential Blocks for Gutenberg < 4.8.4 - Missing Authorization