WordPress Plugin Vulnerabilities

Contact Form & Lead Form Elementor Builder < 1.6.8 - Subscriber+ Arbitrary Lead Deletion

Description

The plugin does not have capability and CSRF checks in the delete_leads_backend AJAX action, available to any authenticated users. As a result, users with a role as low as subscriber could delete arbitrary Leads. Attackers could also make any logged in users delete leads via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
lead-form-builder
Fixed in 1.6.8

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
ac37482e-f107-40fc-81fe-c106366e0993

Timeline

Publicly Published
2021-12-22 (about 4 years ago)
Added
2022-02-01 (about 3 years ago)
Last Updated
2022-02-01 (about 3 years ago)

Other

Published
Title
Published
2025-05-07
Title
Ovation Elements < 1.1.3 - Missing Authorization
Published
2025-07-22
Title
Realty Portal – Agent <= 0.3.9 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via rp_user_profile() Function
Published
2025-11-30
Title
LearnPress < 4.3.0 - Missing Authorization
Published
2024-02-07
Title
ImageRecycle pdf & image compression < 3.1.14 - Missing Authorization to Settings Update in disableOptimization
Published
2024-04-05
Title
Masteriyo - LMS < 1.7.3 - Unauthenticated Privilege Escalation