WordPress Plugin Vulnerabilities

Contact Form builder with drag & drop - Kali Forms < 2.3.37 - Insecure Direct Object Reference

Description

The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.38 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to access objects they do not have proper authorization to view.

Affects Plugins

Plugin icon
kali-forms
Fixed in 2.3.37

References

CVE
CVE-2024-22305
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/012a558c-1f80-4f36-85d9-905f4ed0b6cb

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Revan Arifio
Verified
No
WPVDB ID
e6b1afb1-a399-4600-949c-81bd70562f29

Timeline

Publicly Published
2024-01-17 (about 2 years ago)
Added
2024-01-24 (about 2 years ago)
Last Updated
2024-02-02 (about 2 years ago)

Other

Published
Title
Published
2024-11-20
Title
Theme Builder For Elementor < 1.2.3 - Authenticated (Contributor+) Post Disclosure
Published
2025-04-07
Title
Streamit < 4.0.3 - Authenticated (Subscriber+) Privilege Escalation via User Email Change/Account Takeover
Published
2024-04-17
Title
EAN for WooCommerce < 4.9.3 - Insecure Direct Object Reference to Sensitve Information Exposure via Shortcode
Published
2020-06-27
Title
Advanced Forms < 1.6.9 - Subscriber+ Arbitrary User Email Address Update via IDOR
Published
2024-01-26
Title
wp-dashboard-notes < 1.0.11 - Contributor+ Arbitrary Private Notes Update via IDOR