Hash Form < 1.2.2 – Missing Authorization to Authenticated (Contributor+) Form Style Creation | CVE 2024-12201 | Plugin Vulnerabilities

Description

The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check when creating form styles in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create new form styles.

Affects Plugins

Fixed in 1.2.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/bb81b2ce-583b-411c-b0f5-a233e0d1986b

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Noah Stead (TurtleBurg)

Verified

No

WPVDB ID

8164cdaa-4ed2-4f47-b379-3dbba08be104

Timeline

Publicly Published

2024-12-11 (about 1 year ago)

Added

2024-12-11 (about 1 year ago)

Last Updated

2024-12-12 (about 1 year ago)

Other

Published

Title

Published

2024-12-02

Title

Simple User Registration < 6.0 - Missing Authorization to User Deletion

Published

2023-09-12

Title

WP User Control <= 1.5.3 - Unauthenticated password reset

Published

2024-04-25

Title

Metform Elementor Contact Form Builder < 3.8.4 - Missing Authorization to Notice Dismissal

Published

2026-01-25

Title

Fluent Forms < 6.1.15 - Subscriber+ Missing Authorization

Published

2023-11-23

Title

Consensu.io < 1.0.4 - Unauthenticated Settings Update