CVE-2024-2043 MEDIUM

CVE-2024-2043: EleForms – All In One Form Integration including DB for Elementor <= 2.9.9.7 - Missing Authorization to Sensitive Information Exposure

Vendor Cscode
Product EleForms – All In One Form Integration including DB for Elementor
Weakness CWE-862 · Missing authorization
Published May 2, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when downloading form submissions in all versions up to, and including, 2.9.9.7. This makes it possible for unauthenticated attackers to view form submissions.

Key dates

02Disclosure timeline

May 2, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-49902 WordPress Login Page Customizer – Customizer Login Page, Admin Page, Custom Design plugin <= 2.1.1 - Broken Access Control vulnerability CVE-2025-68042 WordPress Travelpayouts plugin <= 1.2.2 - Broken Access Control vulnerability CVE-2025-47688 WordPress Advanced File Manager plugin <= 5.3.1 - Broken Access Control to Notice Dismissal vulnerability CVE-2025-12133 EPROLO Dropshipping <= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Tracking Data Modification CVE-2025-67956 WordPress User Registration plugin <= 4.4.6 - Broken Access Control vulnerability