CVE-2024-1400 - Vulnerability Details - OpenCVE

The Mollie Forms plugin for WordPress is vulnerable to unauthorized post or page duplication due to a missing capability check on the duplicateForm function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to duplicate arbitrary posts and pages.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00083.

Key SSVC decision points have not yet been added.

Vendors	Products
Wobbie	Mollie Forms

Configuration 1 [-]

cpe:2.3:a:wobbie:mollie_forms:*:*:*:*:*:wordpress:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3046896/mollie-forms/trunk/classes/Admin.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/43c4ca71-0bf0-4529-97d9-2349f96bbb9e?source=cve

History

Wed, 05 Feb 2025 21:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wobbie Wobbie mollie Forms
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:wobbie:mollie_forms::::::wordpress::*
Vendors & Products		Wobbie Wobbie mollie Forms

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-03-11T21:30:57.915Z

Updated: 2024-08-05T17:44:22.686Z

Reserved: 2024-02-09T14:30:01.475Z

Link: CVE-2024-1400

Vulnrichment

Updated: 2024-08-01T18:40:20.843Z

NVD

Status : Analyzed

Published: 2024-03-11T22:15:54.490

Modified: 2025-02-05T20:56:20.887

Link: CVE-2024-1400

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1400", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-02-09T14:30:01.475Z", "datePublished": "2024-03-11T21:30:57.915Z", "dateUpdated": "2024-08-05T17:44:22.686Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-03-11T21:30:57.915Z"}, "affected": [{"vendor": "ndijkstra", "product": "Mollie Forms", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "2.6.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Mollie Forms plugin for WordPress is vulnerable to unauthorized post or page duplication due to a missing capability check on the duplicateForm function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to duplicate arbitrary posts and pages."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/43c4ca71-0bf0-4529-97d9-2349f96bbb9e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3046896/mollie-forms/trunk/classes/Admin.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2024-03-11T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:20.843Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/43c4ca71-0bf0-4529-97d9-2349f96bbb9e?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3046896/mollie-forms/trunk/classes/Admin.php", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-05T17:44:09.662610Z", "id": "CVE-2024-1400", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T17:44:22.686Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/43c4ca71-0bf0-4529-97d9-2349f96bbb9e?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3046896/mollie-forms/trunk/classes/Admin.php", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:20.843Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1400", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-05T17:44:09.662610Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T17:44:17.464Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "ndijkstra", "product": "Mollie Forms", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.6.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-03-11T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/43c4ca71-0bf0-4529-97d9-2349f96bbb9e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3046896/mollie-forms/trunk/classes/Admin.php"}], "descriptions": [{"lang": "en", "value": "The Mollie Forms plugin for WordPress is vulnerable to unauthorized post or page duplication due to a missing capability check on the duplicateForm function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to duplicate arbitrary posts and pages."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-03-11T21:30:57.915Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1400", "state": "PUBLISHED", "dateUpdated": "2024-08-05T17:44:22.686Z", "dateReserved": "2024-02-09T14:30:01.475Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-03-11T21:30:57.915Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wobbie:mollie_forms:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "48F50D84-1C10-4A5C-91DC-F306D1EC6C59", "versionEndExcluding": "2.6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Mollie Forms plugin for WordPress is vulnerable to unauthorized post or page duplication due to a missing capability check on the duplicateForm function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to duplicate arbitrary posts and pages."}, {"lang": "es", "value": "El complemento Mollie Forms para WordPress es vulnerable a publicaciones no autorizadas o duplicaci\u00f3n de p\u00e1ginas debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n duplicadoForm en todas las versiones hasta la 2.6.3 incluida. Esto hace posible que atacantes autenticados, con acceso de suscriptor o superior, dupliquen publicaciones y p\u00e1ginas arbitrarias."}], "id": "CVE-2024-1400", "lastModified": "2025-02-05T20:56:20.887", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-03-11T22:15:54.490", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3046896/mollie-forms/trunk/classes/Admin.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/43c4ca71-0bf0-4529-97d9-2349f96bbb9e?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3046896/mollie-forms/trunk/classes/Admin.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/43c4ca71-0bf0-4529-97d9-2349f96bbb9e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}