WordPress Plugin Vulnerabilities

Smart Forms < 2.6.85 - Subscriber+ Arbitrary Options Update

Description

The plugin does not have authorisation in an AJAX action hooked to smart_forms_save_settings(), and does not ensure that the option to be updated belong to the plugin. As a result, any authenticated users, such as subscriber could update arbitrary options (such as default_role and users_can_register)

Affects Plugins

Plugin icon
smart-forms
Fixed in 2.6.85

References

CVE
CVE-2023-49856
URL
https://patchstack.com/database/vulnerability/smart-forms/wordpress-smart-forms-plugin-2-6-84-authenticated-arbitrary-options-change-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
ffc11b42-08e4-4f28-b64d-095832b06c25

Timeline

Publicly Published
2023-12-07 (about 2 years ago)
Added
2023-12-10 (about 2 years ago)
Last Updated
2023-12-14 (about 2 years ago)

Other

Published
Title
Published
2021-11-10
Title
WP Reset Pro < 5.99 - Subscriber+ Database Reset
Published
2022-10-30
Title
Corsa <= 1.5 - Subscriber+ Arbitrary Plugin Installation
Published
2024-06-28
Title
Uncanny Automator Pro < 5.3.0.1 - Missing Authorization to Unauthenticated License Setting Reset
Published
2025-06-19
Title
Import YouTube videos as WP Posts <= 2.1 - Missing Authorization
Published
2024-01-19
Title
ColorMag < 3.1.3 - Missing Authorization to Arbitrary Plugin Installation