WordPress Plugin Vulnerabilities

Contact Form & Lead Form Elementor Builder Plugin < 1.7.4 - Multiple Subscriber+ Settings Update

Description

The plugin doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings

Proof of Concept

Affects Plugins

Plugin icon
lead-form-builder
Fixed in 1.7.4

References

CVE
CVE-2022-23180
URL
https://plugins.trac.wordpress.org/changeset/2670484

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Yoru Oni
Submitter
Yoru Oni
Submitter website
https://profiles.wordpress.org/yoruoni
Verified
Yes
WPVDB ID
da87358a-3a72-4cf7-a2af-a266dd9b4290

Timeline

Publicly Published
2022-02-01 (about 3 years ago)
Added
2022-02-01 (about 3 years ago)
Last Updated
2022-04-13 (about 3 years ago)

Other

Published
Title
Published
2024-12-17
Title
Agency Toolkit < 1.0.24 - Unauthenticated Arbitrary Options Update
Published
2026-01-06
Title
aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification
Published
2024-04-29
Title
Social Share Icons & Social Share Buttons < 3.6.3 - Missing Authorization to Notice Dismissal
Published
2024-12-06
Title
Message Filter for Contact Form 7 < 1.6.3.1 - Subscriber+ Filter Creation
Published
2025-01-16
Title
Minterpress <= 1.0.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion