CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
What the vulnerability does
The SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the register_post_types() function in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to create forms when the user interface specifically prohibits it.
Explanation of Vulnerability in Simple Terms
SureForms versions up to 1.12.0 lack proper authorization checks, allowing authenticated users to modify form data they should not have access to. An attacker with a low-privilege account can alter form submissions or settings belonging to other users or forms. The vulnerability requires an existing user account but no special interaction from victims.
What an attacker can do
Modify form data or settings belonging to other users or forms without authorization.
Potential impact on your site
Form data integrity is at risk; users' submissions or form configurations may be altered by other authenticated users.
Conditions required to exploit
Attacker must have a low-privilege user account on the site; no victim interaction required.
Key dates
External resources
Related vulnerabilities
