WordPress Plugin Vulnerabilities

Forminator Forms < 1.36.1 - Unauthenticated Arbitrary Quiz Submissions Update

Description

The plugin is vulnerable to Insecure Direct Object Reference via the submit_quizzes() function due to missing validation on the 'entry_id' user controlled key. This makes it possible for unauthenticated attackers to modify other user's quiz submissions.

Affects Plugins

Plugin icon
forminator
Fixed in 1.36.1

References

CVE
CVE-2024-9700
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fbed35ca-1630-46a4-8b1f-60cc7216f294

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Vijaysimha Reddy (vijaysimha)
Verified
No
WPVDB ID
cf5e444a-cc27-4305-b530-795acedcfe67

Timeline

Publicly Published
2024-10-30 (about 1 year ago)
Added
2024-11-04 (about 1 year ago)
Last Updated
2024-11-04 (about 1 year ago)

Other

Published
Title
Published
2026-02-11
Title
Image Photo Gallery Final Tiles Grid < 3.6.12 - Authenticated (Author+) Insecure Direct Object Reference
Published
2026-03-12
Title
Appointment Booking Calendar < 1.6.10.0 - Insecure Direct Object Reference to Authenticated (Staff+) Sensitive Information Exposure
Published
2021-06-03
Title
Jetpack < 9.8 - Carousel Module Non-Published Page/Post Attachment Comment Leak
Published
2026-04-23
Title
Booking Calendar Contact Form < 1.2.64 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover
Published
2025-06-19
Title
JobSearch < 3.0.6 - Subscriber+ Insecure Direct Object Reference