WordPress Plugin Vulnerabilities

WP Libre Form 2-2.0.8 - Unauthenticated Arbitrary Submissions Listing & Deletion

Description

The plugin does not have proper authorisation in some of its REST endpoints, which could allow unauthenticated attackers to list and delete arbitrary submissions

Affects Plugins

Plugin icon
libreform
Fixed in 2.0.9

References

CVE
CVE-2022-34867

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.3 (high)

Miscellaneous

Original Researcher
Christian Nikkanen
Verified
No
WPVDB ID
bcec621f-42d4-468d-8a38-870613b0be1c

Timeline

Publicly Published
2022-07-22 (about 3 years ago)
Added
2022-09-06 (about 3 years ago)
Last Updated
2022-09-06 (about 3 years ago)

Other

Published
Title
Published
2024-06-20
Title
License Manager for WooCommerce < 3.0.7 - Improper Authorization to Authenticated(Contributor+) Sensitive Information Exposure
Published
2024-07-04
Title
The Post Grid < 7.7.5 - Missing Authorization via REST API
Published
2023-08-23
Title
Elements kit Elementor addons < 2.9.2 - Missing Authorization
Published
2023-12-06
Title
System Dashboard < 2.8.8 - Missing Authorization to Information Disclosure (sd_option_value)
Published
2022-09-23
Title
MailOptin < 1.2.50.0 - Unauthenticated Campaign Cache Deletion