The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.36.0 via the submit_quizzes() function due to missing validation on the 'entry_id' user controlled key. This makes it possible for unauthenticated attackers to modify other user's quiz submissions.
Metrics
Affected Vendors & Products
References
History
Mon, 25 Nov 2024 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
CPEs | cpe:2.3:a:wpmudev:forminator_forms:*:*:*:*:free:wordpress:*:* |
Thu, 31 Oct 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Wpmudev
Wpmudev forminator Forms |
|
CPEs | cpe:2.3:a:wpmudev:forminator_forms:*:*:*:*:*:*:*:* | |
Vendors & Products |
Wpmudev
Wpmudev forminator Forms |
|
Metrics |
ssvc
|
Thu, 31 Oct 2024 05:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.36.0 via the submit_quizzes() function due to missing validation on the 'entry_id' user controlled key. This makes it possible for unauthenticated attackers to modify other user's quiz submissions. | |
Title | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.36.0 - Insecure Direct Object Reference to Submission Manipulation | |
Weaknesses | CWE-639 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-10-31T05:31:23.699Z
Updated: 2024-10-31T14:20:15.963Z
Reserved: 2024-10-09T17:48:24.883Z
Link: CVE-2024-9700
Vulnrichment
Updated: 2024-10-31T14:20:01.299Z
NVD
Status : Analyzed
Published: 2024-10-31T06:15:05.350
Modified: 2024-11-25T19:57:41.387
Link: CVE-2024-9700
Redhat
No data.