WordPress Plugin Vulnerabilities

Contact Form by WPForms < 1.9.2.3 - Contributor+ Custom Form Theme Creation

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on a function. This makes it possible for authenticated attackers, with Contributor-level access and above, to create custom form theme

Affects Plugins

Plugin icon
wpforms-lite
Fixed in 1.9.2.3

References

CVE
CVE-2024-56276
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/95de9099-6071-46d8-a7c9-bb2c1caa6b38

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
2.7 (low)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
ed5fd5ae-1c77-43e4-ab2c-99689f586938

Timeline

Publicly Published
2025-01-03 (about 1 year ago)
Added
2025-01-13 (about 1 year ago)
Last Updated
2025-01-13 (about 1 year ago)

Other

Published
Title
Published
2025-04-15
Title
JetTricks < 1.5.1.1 - Missing Authorization
Published
2025-12-20
Title
Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX < 5.0.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure
Published
2025-06-04
Title
Icegram Collect – Easy Form, Lead Collection and Subscription plugin < 1.3.19 - Missing Authorization
Published
2025-10-06
Title
IDonate < 2.1.13 - Unauthenticated User Deletion
Published
2023-12-27
Title
Eazy Plugin Manager < 4.1.3 - Missing Authorization via update_options