CVE-2025-0939 - Vulnerability Details

- MagicForm - WordPress Form Builder <= 1.6.2 - Missing Authorization

Description

The MagicForm plugin for WordPress is vulnerable to access and modification of data due to a missing capability check on the plugin's AJAX actions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke those actions in order to delete or view logs, modify forms or modify plugin settings.

Published: 2025-02-01

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in a missing capability check on the MagicForm plugin’s AJAX actions. An authenticated user with Subscriber level or higher can therefore invoke these endpoints to delete or view logs, modify form definitions, or change plugin settings, effectively allowing them to alter data they should not be able to access.

Affected Systems

The flaw affects all releases of the MagicForm WordPress plugin up to and including version 1.6.2, which is distributed by the developer dcooperman. Any WordPress site running one of these versions is susceptible.

Risk and Exploitability

With a CVSS score of 6.3 the issue is considered moderate in severity. The EPSS score is below 1%, indicating that exploitation is unlikely in the wild, and it has not been noted in CISA’s KEV catalog. The attack requires an authenticated account with at least Subscriber privileges; the perpetrator can trigger the vulnerable AJAX endpoint via an HTTP request, making the flaw straightforward to abuse once credentials are in hand.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

dcooperman

MagicForm

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.6.2

Configuration 1 [-]

cpe:2.3:a:dcooperman:magicform:*:*:*:*:*:wordpress:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the MagicForm plugin to a version newer than 1.6.2 to restore proper capability checks on all AJAX actions.
Limit administrative access so that only users with Editor or higher roles can use the plugin’s features, and remove or downgrade the Subscriber role if it is unnecessary.
Add an additional security layer by configuring a plugin or custom code that ensures wp_verify_nonce and current_user_can checks are performed before any AJAX handler processes requests.

Generated by OpenCVE AI on April 21, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-1936	The MagicForm plugin for WordPress is vulnerable to access and modification of data due to a missing capability check on the plugin's AJAX actions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke those actions in order to delete or view logs, modify forms or modify plugin settings.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00049.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/magicform/trunk/admin/admin-menu.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/aa3497ae-7f3a-4e67-ad7a-77b50dccaf3b?source=cve

History

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00048}`	epss `{'score': 0.00061}`

Fri, 21 Feb 2025 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dcooperman Dcooperman magicform
CPEs		cpe:2.3:a:dcooperman:magicform::::::wordpress::*
Vendors & Products		Dcooperman Dcooperman magicform

Sat, 01 Feb 2025 07:00:00 +0000

Type	Values Removed	Values Added
Description		The MagicForm plugin for WordPress is vulnerable to access and modification of data due to a missing capability check on the plugin's AJAX actions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke those actions in order to delete or view logs, modify forms or modify plugin settings.
Title		MagicForm - WordPress Form Builder <= 1.6.2 - Missing Authorization
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/magicform/trunk/admin/admin-menu.php https://www.wordfence.com/threat-intel/vulnerabilities/id/aa3497ae-7f3a-4e67-ad7a-77b50dccaf3b?source=cve
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}`

Subscriptions

Dcooperman Magicform

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-02-01T06:41:51.508Z

Updated: 2026-04-08T17:14:19.736Z

Reserved: 2025-01-31T17:56:49.931Z

Link: CVE-2025-0939

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2025-02-01T07:15:08.097

Modified: 2025-02-21T15:38:36.803

Link: CVE-2025-0939

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T22:30:06Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object