CVE-2024-10717

The Styler for Ninja Forms plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the deactivate_license function in all versions up to, and including, 3.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users. Note: This issue can also be used to add arbitrary options with an empty value.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/styler-for-ninja-forms-lite/tags/3.3.4/admin-menu/licenses.php#L126	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/a26da53c-4be0-4c9f-9caf-05f054a6d5e7?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wpmonks:styler_for_ninja_forms:*:*:*:*:lite:wordpress:*:*

History

11 Jul 2025, 13:55

Type	Values Removed	Values Added
CPE		cpe:2.3:a:wpmonks:styler_for_ninja_forms:::::lite:wordpress::
First Time		Wpmonks Wpmonks styler For Ninja Forms
References	~~() https://plugins.trac.wordpress.org/browser/styler-for-ninja-forms-lite/tags/3.3.4/admin-menu/licenses.php#L126 -~~	() https://plugins.trac.wordpress.org/browser/styler-for-ninja-forms-lite/tags/3.3.4/admin-menu/licenses.php#L126 - Product
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/a26da53c-4be0-4c9f-9caf-05f054a6d5e7?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/a26da53c-4be0-4c9f-9caf-05f054a6d5e7?source=cve - Third Party Advisory

Information

Published : 2024-11-13 02:15

Updated : 2025-07-11 13:55

NVD link : CVE-2024-10717

Mitre link : CVE-2024-10717

CVE.ORG link : CVE-2024-10717

JSON object : View

Products Affected

wpmonks

styler_for_ninja_forms

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-10717", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-11-13T02:15:14.450", "references": [{"url": "https://plugins.trac.wordpress.org/browser/styler-for-ninja-forms-lite/tags/3.3.4/admin-menu/licenses.php#L126", "tags": ["Product"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a26da53c-4be0-4c9f-9caf-05f054a6d5e7?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Styler for Ninja Forms plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the deactivate_license function in all versions up to, and including, 3.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users. Note: This issue can also be used to add arbitrary options with an empty value."}, {"lang": "es", "value": "El complemento Styler for Ninja Forms para WordPress es vulnerable a modificaciones no autorizadas de datos que pueden provocar una denegaci\u00f3n de servicio debido a una verificaci\u00f3n de capacidad faltante en la funci\u00f3n deactivate_license en todas las versiones hasta la 3.3.4 incluida. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen valores de opciones arbitrarios en el sitio de WordPress. Esto se puede aprovechar para eliminar una opci\u00f3n que crear\u00eda un error en el sitio y denegar\u00eda el servicio a usuarios leg\u00edtimos. Nota: Este problema tambi\u00e9n se puede utilizar para agregar opciones arbitrarias con un valor vac\u00edo."}], "lastModified": "2025-07-11T13:55:52.650", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wpmonks:styler_for_ninja_forms:*:*:*:*:lite:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "507084C2-7DF8-40C3-8C8A-65B2A4EBB2CD", "versionEndIncluding": "3.3.4"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}