WordPress Plugin Vulnerabilities
WS Form LITE < 1.11.8 - Subscriber+ Arbitrary Settings Update
Description
The plugin does not have a capability check on one of its settings-update actions, allowing authenticated users with subscriber-level access and above to modify the plugin's settings.
Proof of Concept
Affects Plugins
References
CVE
Classification
Type
AUTHBYPASS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Mustafa Ahmed
Submitter
Mustafa Ahmed
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-06-10 (about 21 days ago)
Added
2026-06-10 (about 20 days ago)
Last Updated
2026-06-10 (about 20 days ago)