WordPress Plugin Vulnerabilities

Mollie Forms < 2.6.4 - Missing Authorization to Arbitrary Post Duplication

Description

The Mollie Forms plugin for WordPress is vulnerable to unauthorized post or page duplication due to a missing capability check on the duplicateForm function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to duplicate arbitrary posts and pages.

Affects Plugins

Plugin icon
mollie-forms
Fixed in 2.6.4

References

CVE
CVE-2024-1400
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/43c4ca71-0bf0-4529-97d9-2349f96bbb9e

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
8dd25ea1-0b28-4443-823c-90f6795f1577

Timeline

Publicly Published
2024-03-11 (about 2 years ago)
Added
2024-03-11 (about 2 years ago)
Last Updated
2024-03-11 (about 2 years ago)

Other

Published
Title
Published
2023-11-15
Title
WP Like Button <= 1.7.0 - Missing Authorization via crublabFBLBAjax
Published
2023-01-10
Title
Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Theme Activation
Published
2022-11-08
Title
Blog2Social < 6.9.12 - Subscriber+ Settings Update
Published
2026-02-18
Title
App Landing Page < 1.2.3 - Missing Authorization
Published
2024-09-25
Title
Ads by WPQuads – Adsense Ads, Banner Ads, Popup Ads < 2.0.85 - Missing Authorization