WordPress Plugin Vulnerabilities

Contact Form builder with drag & drop - Kali Forms < 2.3.28 - Missing Authorization via Contact Form

Description

The Contact Form builder with drag & drop - Kali Forms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing check on the run_form_process_checks function in versions up to, and including, 2.3.27. This makes it possible for unauthenticated attackers to submit forms even when they are not currently published.

Affects Plugins

Plugin icon
kali-forms
Fixed in 2.3.28

References

CVE
CVE-2023-46083
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/bfb473a6-08ba-4b23-877d-4aa661c0053f

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Revan Arifio
Verified
No
WPVDB ID
689cf492-1a32-4cb5-afa1-c085be778793

Timeline

Publicly Published
2023-10-16 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-12 (about 2 years ago)

Other

Published
Title
Published
2023-03-06
Title
Gallery Blocks with Lightbox < 3.0.8 - Subscriber+ Arbitrary Options Update
Published
2024-03-08
Title
HT Easy GA4 – Google Analytics WordPress Plugin < 1.2.0 - Missing Authorization to Unauthenticated GA4 Email Update
Published
2025-03-14
Title
Give < 3.22.1 - Missing Authorization to Unauthenticated Arbitrary Earning Reports Disclosure via give_reports_earnings Function
Published
2025-10-27
Title
WpResidence < 5.3.2.1 - Missing Authorization
Published
2025-12-12
Title
Popup Builder < 1.1.39 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Reset