Description
Missing Authorization vulnerability in Alex Volkov WAH Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WAH Forms: from n/a through 1.0.
Published: 2025-03-03
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization in the WAH Forms plugin allows an attacker to request plugin endpoints without proper authentication, leading to the exposure of sensitive user data. The vulnerability is classified as an access control weakness, as defined by CWE-862, and can result in confidentiality violations where confidential information becomes readable by unauthorized parties.

Affected Systems

The vulnerability affects the WordPress WAH Forms plugin from its earliest released versions through 1.0, including all installations of the plugin regardless of WordPress core version. Users running any supported variant of WAH Forms up to and including version 1.0 are potentially impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, as the missing authorization flaw can be triggered over the network by sending crafted requests to the plugin's endpoints. Because the flaw permits unauthenticated data exposure, attackers could potentially gather sensitive content without needing credentials.

Generated by OpenCVE AI on May 1, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WAH Forms to the latest available release that contains the authorization fix.
  • If an upgrade is not immediately possible, temporarily disable the plugin or remove it until the patch is applied.
  • Restrict access to the plugin’s administrative pages by enforcing strict role-based permissions so that only trusted users can view or modify sensitive data.

Generated by OpenCVE AI on May 1, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5674 Missing Authorization vulnerability in Alex Volkov WAH Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WAH Forms: from n/a through 1.0.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Alex Volkov WAH Forms wah-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WAH Forms: from n/a through <= 1.0. Missing Authorization vulnerability in Alex Volkov WAH Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WAH Forms: from n/a through 1.0.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Alex Volkov WAH Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WAH Forms: from n/a through 1.0. Missing Authorization vulnerability in Alex Volkov WAH Forms wah-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WAH Forms: from n/a through <= 1.0.
References

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Alex Volkov WAH Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WAH Forms: from n/a through 1.0.
Title WordPress WAH Forms plugin <= 1.0 - Sensitive Data Exposure vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:19.007Z

Reserved: 2025-01-16T11:29:57.540Z

Link: CVE-2025-23763

cve-icon Vulnrichment

Updated: 2025-03-03T19:11:24.370Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:47.000

Modified: 2026-04-28T19:28:59.307

Link: CVE-2025-23763

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:45:16Z

Weaknesses