Description
Missing Authorization vulnerability in Shahjada Live Forms liveforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Live Forms: from n/a through <= 4.8.4.
Published: 2025-03-27
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization flaw in Shahjada Live Forms allows an attacker to modify plugin settings without proper access control. This defect stems from incorrectly configured security levels that fail to enforce role‑based restrictions, enabling unauthorized changes to how forms behave or what data is collected. The impact is a change in configuration, which could alter data handling or expose sensitive information.

Affected Systems

WordPress sites running Shahjada Live Forms version 4.8.4 or earlier are affected, from the plugin’s initial release up to and including 4.8.4. Sites must verify the installed version and consider the plugin unavailable until a newer release is applied.

Risk and Exploitability

The CVSS score of 5.4 classifies the vulnerability as moderate, while the EPSS score of <1% indicates a very low likelihood of current exploitation. It is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector requires an authenticated user on the site, or a user with privileged access to the plugin’s settings, since the lack of authorization checks allows such users to change configuration.

Generated by OpenCVE AI on May 1, 2026 at 13:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Live Forms to a version newer than 4.8.4 once the vendor releases a fix.
  • Restrict the capabilities granted to WordPress roles that can access the Live Forms settings page so that only trusted administrators can modify configurations.
  • Review existing user roles for permissions related to Live Forms and remove unnecessary access to enforce least privilege.

Generated by OpenCVE AI on May 1, 2026 at 13:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8375 Missing Authorization vulnerability in Shahjada Live Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Live Forms: from n/a through 4.8.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Shahjada Live Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Live Forms: from n/a through 4.8.4. Missing Authorization vulnerability in Shahjada Live Forms liveforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Live Forms: from n/a through <= 4.8.4.
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Thu, 27 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Shahjada Live Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Live Forms: from n/a through 4.8.4.
Title WordPress WordPress Contact Form, Drag and Drop Form Builder Plugin – Live Forms plugin <= 4.8.4 - Settings Change vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:57.859Z

Reserved: 2025-03-26T09:20:25.505Z

Link: CVE-2025-30809

cve-icon Vulnrichment

Updated: 2025-03-27T13:58:52.380Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:41.837

Modified: 2026-04-23T15:27:06.763

Link: CVE-2025-30809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:15:20Z

Weaknesses