The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.36.0 via the submit_quizzes() function due to missing validation on the 'entry_id' user controlled key. This makes it possible for unauthenticated attackers to modify other user's quiz submissions.
History

Thu, 31 Oct 2024 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpmudev
Wpmudev forminator Forms
CPEs cpe:2.3:a:wpmudev:forminator_forms:*:*:*:*:*:*:*:*
Vendors & Products Wpmudev
Wpmudev forminator Forms
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 31 Oct 2024 05:45:00 +0000

Type Values Removed Values Added
Description The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.36.0 via the submit_quizzes() function due to missing validation on the 'entry_id' user controlled key. This makes it possible for unauthenticated attackers to modify other user's quiz submissions.
Title Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.36.0 - Insecure Direct Object Reference to Submission Manipulation
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-10-31T05:31:23.699Z

Updated: 2024-10-31T14:20:15.963Z

Reserved: 2024-10-09T17:48:24.883Z

Link: CVE-2024-9700

cve-icon Vulnrichment

Updated: 2024-10-31T14:20:01.299Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-10-31T06:15:05.350

Modified: 2024-11-01T12:57:03.417

Link: CVE-2024-9700

cve-icon Redhat

No data.