WordPress Plugin Vulnerabilities

weForms < 1.6.21 - Missing Authorization

Description

The weForms plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the handle_frontend_submission() function in versions up to, and including, 1.6.20. This makes it possible for unauthenticated attackers to submit forms that are not open.

Affects Plugins

Plugin icon
weforms
Fixed in 1.6.21

References

CVE
CVE-2024-30512
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5c71dc22-0b1b-4628-bbab-4154714e8804

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Kyle Sanchez
Verified
No
WPVDB ID
9915e202-ef99-49a5-8318-06bc3a7d4987

Timeline

Publicly Published
2024-03-28 (about 2 years ago)
Added
2024-04-03 (about 2 years ago)
Last Updated
2024-04-03 (about 2 years ago)

Other

Published
Title
Published
2024-01-31
Title
WooCommerce Conversion Tracking < 2.0.12 - Subscriber+ Addon Installation
Published
2025-05-15
Title
Tours < 1.0.1 - Missing Authorization
Published
2025-11-07
Title
Gallery Plugin for WordPress – Envira Photo Gallery < 1.12.0 - Missing Authorization to Authenticated (Contributor+) Gallery Conversion
Published
2025-04-07
Title
Specia Companion <= 6.2 - Missing Authorization
Published
2025-03-28
Title
Checkout Mestres do WP for WooCommerce 8.6.5 - 8.7.5 - Unauthenticated Arbitrary Options Update