WordPress Plugin Vulnerabilities

FormCraft < 1.2.8 - Missing Authorization via formcraft_nag_update

Description

The FormCraft plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the formcraft_nag_update AJAX nopriv_ function in versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to delay or disable update notifications.

Affects Plugins

Plugin icon
formcraft-form-builder
Fixed in 1.2.8

References

CVE
CVE-2023-47823
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/25d5735a-8eed-4b4a-9bbe-9e42fb18ddf2

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
7404f6e1-beb6-435b-a18c-0eb1c810bf3e

Timeline

Publicly Published
2023-11-16 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2024-01-30
Title
Fatal Error Notify < 1.5.3 - Subscriber+ Test Error Email Sending
Published
2025-10-14
Title
Zip Attachments <= 1.6 - Missing Authorization to Limited File Deletion
Published
2025-01-06
Title
SMS Alert Order Notifications – WooCommerce < 3.7.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Published
2024-04-30
Title
Custom WooCommerce Checkout Fields Editor < 1.3.2 - Missing Authorization
Published
2025-12-10
Title
Homey Core < 2.4.4 - Missing Authorization