Contact Form by WPForms – Drag & Drop Form Builder for WordPress < 1.8.8.2 – Unauthenticated Price Manipulation | CVE 2024-3649 | Plugin Vulnerabilities

Description

The Contact Form by WPForms – Drag & Drop Form Builder for WordPress is vulnerable to price manipulation. This is due to a lack of controls on several product parameters, making it possible for unauthenticated attackers to manipulate prices, product information, and quantities for purchases made via the Stripe payment integration.

Affects Plugins

Fixed in 1.8.8.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/68a509ae-9943-4b9a-8ede-2b5732e96e6d

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Asaf Mozes

Verified

No

WPVDB ID

f8d86b51-e8d2-4419-9a97-202535e20a54

Timeline

Publicly Published

2024-05-01 (about 2 years ago)

Added

2024-05-06 (about 2 years ago)

Last Updated

2024-05-06 (about 2 years ago)

Other

Published

Title

Published

2021-04-10

Title

Contact Form Check Tester <= 1.0.2 - Broken Access Control to Cross-Site Scripting (XSS)

Published

2021-09-15

Title

Find My Blocks < 3.4.0 - Private Post Titles Disclosure

Published

2022-12-28

Title

Optimize images ALT Text (alt tag) & names for SEO using AI < 2.0.8 - Settings Update via CSRF

Published

2023-11-28

Title

JetEngine < 3.2.5 - Authenticated (Contributor+) Privilege Escalation

Published

2021-10-01

Title

Stripe For WooCommerce 3.0.0 - 3.3.9 - Missing Authorization Controls to Financial Account Hijacking