Views for WPForms < 3.2.3 – Missing Authorization via create_view | CVE 2024-0371 | Plugin Vulnerabilities

Description

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'create_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to create form views.

Affects Plugins

views-for-wpforms-lite

Fixed in 3.2.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a9565693-fd0b-4412-944c-81b3cd79492e

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

8bdb2e42-ff7c-4a6c-af58-1d2e783d489e

Timeline

Publicly Published

2024-01-24 (about 2 years ago)

Added

2024-01-24 (about 2 years ago)

Last Updated

2024-01-24 (about 2 years ago)

Other

Published

Title

Published

2019-08-09

Title

Woody Ad Snippets < 2.2.6 - Arbitrary Post Deletion

Published

2021-11-15

Title

Page/Post Content Shortcode <= 1.0 - Contributor+ Arbitrary Posts/Pages Access

Published

2020-08-21

Title

Contact Form - Form builder by Kali Forms < 2.1.2 - Authenticated Plugin's Settings Change

Published

2024-03-19

Title

Coming Soon & Maintenance Mode by Colorlib <= 1.0.99 - Information Exposure

Published

2024-07-19

Title

WP Mail SMTP < 4.1.0 - Admin+ SMTP Password Exposure