We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-5309

Form Vibes – Database Manager for Forms <= 1.4.12 - Missing Authorization in Multiple Functions



AssignerWordfence
Reserved2024-05-23
Published2024-09-05
Updated2024-09-05

Description

The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the fv_export_csv, reset_settings, save_settings, save_columns_settings, get_analytics_data, get_event_logs_data, delete_submissions, and get_submissions functions in all versions up to, and including, 1.4.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform multiple unauthorized actions. NOTE: This vulnerability is partially fixed in version 1.4.12.



MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
0x40025cef20

*
affected

Timeline

2024-09-04:Disclosed

Credits

Peter Thaleikis 0x40025cef70

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/aba88c4c-93a4-4c1c-b239-68b5fec87146?source=cve

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3128705%40form-vibes&new=3128705%40form-vibes&sfp_email=&sfph_mail=

cve.org CVE-2024-5309

nvd.nist.gov CVE-2024-5309

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-5309
Subscribe to our newsletter to learn more about our work.