Funnelforms Free < 3.4.2 – Missing Authorization to Category Update | CVE 2023-5417 | Plugin Vulnerabilities

Description

The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_update_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify the Funnelforms category for a given post ID.

Affects Plugins

funnelforms-free

Fixed in 3.4.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/148794ea-3bc9-4084-bdb9-6ee63a781a39

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Alex Thomas

Verified

No

WPVDB ID

6a56eb3e-52bc-4754-9807-d95d53969d21

Timeline

Publicly Published

2023-11-01 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2025-02-17

Title

Scratch & Win – Giveaways and Contests < 2.9.0 - Missing Authorization to Unauthenticated Coupon Creation

Published

2026-01-22

Title

Membership <= 1.6.4 - Missing Authorization

Published

2026-03-16

Title

Admin Safety Guard — Login Security & 2FA <= 1.2.6 - Missing Authorization

Published

2025-11-21

Title

Appointment Booking Calendar < 1.3.97 - Missing Authorization to Arbitrary Booking Confirmation via 'cpabc_ipncheck' Parameter

Published

2026-02-06

Title

myCred < 2.9.7.4 - Missing Authorization