CVE-2024-56276
Published: 07 January 2025
Description
Missing Authorization vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through <= 1.9.2.2.
Security Summary
CVE-2024-56276 is a missing authorization vulnerability, also described as exploiting incorrectly configured access control security levels and mapped to CWE-862, in the wpforms-lite WordPress plugin for Contact Form by WPForms, developed by Syed Balkhi. The issue affects all versions from n/a through 1.9.2.2. It has a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, and low-privilege requirements.
Low-privileged authenticated users on affected WordPress sites can exploit this vulnerability remotely without user interaction. By bypassing authorization checks, attackers can achieve limited integrity impacts, such as unauthorized modifications to plugin functions or data, while confidentiality and availability remain unaffected.
The Patchstack advisory provides details on this broken access control vulnerability in wpforms-lite version 1.9.2.2, including mitigation guidance: https://patchstack.com/database/Wordpress/Plugin/wpforms-lite/vulnerability/wordpress-wpforms-lite-plugin-1-9-2-2-broken-access-control-vulnerability?_s_id=cve.
Details
- CWE(s)