CVE-2024-10402

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.35.1. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to create new or edit existing forms, including updating the default registration role to Administrator on User Registration forms.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset/3169243/
https://www.wordfence.com/threat-intel/vulnerabilities/id/be1d9d2b-cbdf-4d62-85fe-2616eaf02848?source=cve

Configurations

No configuration.

History

28 Oct 2024, 13:58

Type	Values Removed	Values Added
Summary		(es) El complemento Forminator Forms – Contact Form, Payment Form & Custom Form Builder para WordPress es vulnerable al acceso no autorizado debido a la falta de una comprobación de capacidad en una función en todas las versiones hasta la 1.35.1 incluida. Esto permite que atacantes autenticados, con acceso de nivel de colaborador o superior, y permisos otorgados por un administrador, creen formularios nuevos o editen los existentes, incluida la actualización del rol de registro predeterminado a Administrador en los formularios de registro de usuarios.

26 Oct 2024, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-26 12:15

Updated : 2024-10-28 13:58

NVD link : CVE-2024-10402

Mitre link : CVE-2024-10402

CVE.ORG link : CVE-2024-10402

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

7.5 /10