CVE-2024-10402

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.35.1. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to create new or edit existing forms, including updating the default registration role to Administrator on User Registration forms.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset/3169243/	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/be1d9d2b-cbdf-4d62-85fe-2616eaf02848?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wpmudev:forminator_forms:*:*:*:*:free:wordpress:*:*

History

05 Feb 2025, 15:02

Type	Values Removed	Values Added
CPE		cpe:2.3:a:wpmudev:forminator_forms:::::free:wordpress::
First Time		Wpmudev Wpmudev forminator Forms
References	~~() https://plugins.trac.wordpress.org/changeset/3169243/ -~~	() https://plugins.trac.wordpress.org/changeset/3169243/ - Product
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/be1d9d2b-cbdf-4d62-85fe-2616eaf02848?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/be1d9d2b-cbdf-4d62-85fe-2616eaf02848?source=cve - Third Party Advisory

Information

Published : 2024-10-26 12:15

Updated : 2025-02-05 15:02

NVD link : CVE-2024-10402

Mitre link : CVE-2024-10402

CVE.ORG link : CVE-2024-10402

JSON object : View

Products Affected

wpmudev

forminator_forms

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-10402", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-10-26T12:15:12.873", "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3169243/", "tags": ["Product"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/be1d9d2b-cbdf-4d62-85fe-2616eaf02848?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Forminator Forms \u2013 Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.35.1. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to create new or edit existing forms, including updating the default registration role to Administrator on User Registration forms."}, {"lang": "es", "value": "El complemento Forminator Forms \u2013 Contact Form, Payment Form & Custom Form Builder para WordPress es vulnerable al acceso no autorizado debido a la falta de una comprobaci\u00f3n de capacidad en una funci\u00f3n en todas las versiones hasta la 1.35.1 incluida. Esto permite que atacantes autenticados, con acceso de nivel de colaborador o superior, y permisos otorgados por un administrador, creen formularios nuevos o editen los existentes, incluida la actualizaci\u00f3n del rol de registro predeterminado a Administrador en los formularios de registro de usuarios."}], "lastModified": "2025-02-05T15:02:16.723", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wpmudev:forminator_forms:*:*:*:*:free:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "93366E57-C8FC-4C2A-9230-135FC97F26FA", "versionEndExcluding": "1.36.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}