SureForms – Drag and Drop Form Builder for WordPress < 1.2.3 – Missing Authorization to Unauthenticated Protected Post Disclosure | CVE 2024-12713 | Plugin Vulnerabilities

Description

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the handle_export_form() function due to a missing capability check. This makes it possible for unauthenticated attackers to export data from password protected, private, or draft posts that they should not have access to.

Affects Plugins

Fixed in 1.2.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/412d5fa7-08fc-402a-bcac-b2dff87de861

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

87288ee5-42d1-4bb1-b53a-33c1567b8bd1

Timeline

Publicly Published

2025-01-07 (about 1 year ago)

Added

2025-01-07 (about 1 year ago)

Last Updated

2025-01-08 (about 1 year ago)

Other

Published

Title

Published

2022-08-10

Title

Directorist < 7.3.1 - Unauthenticated Email Address Disclosure

Published

2025-04-03

Title

Payday <= 3.3.18 - Missing Authorization

Published

2024-03-11

Title

Mollie Forms < 2.6.4 - Missing Authorization to Arbitrary Post Duplication

Published

2025-09-25

Title

Email marketing for WordPress by GetResponse Official < 1.5.4 - Missing Authorization

Published

2024-11-15

Title

PostX < 4.1.17 - Missing Authorization to Arbitrary Plugin Installation/Activation