Description
Missing Authorization vulnerability in fromdoppler Doppler Forms doppler-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Doppler Forms: from n/a through <= 2.4.6.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Doppler Forms plugin for WordPress contains a missing authorization check that allows an attacker to bypass configured access control levels. This flaw enables unauthorized users to perform actions or access data normally protected for higher‑privilege roles, potentially compromising the confidentiality and integrity of the form submissions and providing a foothold for further exploitation on the site. The weakness is identified as CWE‑862, an authorization failure within the application logic.

Affected Systems

The vulnerability affects all installations of the Doppler Forms plugin released by fromdoppler with a version number of 2.4.6 or earlier. Any WordPress site that has an unpatched instance of this plugin is considered vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1% reflects a low current exploitation probability. The issue is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a web request to the plugin’s endpoints where an unauthenticated or low‑privilege user can trigger privileged actions. Exploitation would require the plugin to be active and accessible, but no additional network conditions are specified.

Generated by OpenCVE AI on May 1, 2026 at 09:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Doppler Forms plugin to version 2.4.7 or later to remove the missing authorization check.
  • If an upgrade cannot be performed immediately, restrict plugin access so that only administrator accounts can use it or temporarily deactivate the plugin for all users.
  • Review and tighten WordPress user role permissions to ensure that only users with the necessary privileges can interact with the Doppler Forms functionality, and monitor logs for any unauthorized activity.

Generated by OpenCVE AI on May 1, 2026 at 09:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11707 Missing Authorization vulnerability in fromdoppler Doppler Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Doppler Forms: from n/a through 2.4.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in fromdoppler Doppler Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Doppler Forms: from n/a through 2.4.5. Missing Authorization vulnerability in fromdoppler Doppler Forms doppler-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Doppler Forms: from n/a through <= 2.4.6.
Title WordPress Doppler Forms plugin <= 2.4.5 - Broken Access Control vulnerability WordPress Doppler Forms plugin <= 2.4.6 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in fromdoppler Doppler Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Doppler Forms: from n/a through 2.4.5.
Title WordPress Doppler Forms plugin <= 2.4.5 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:25.690Z

Reserved: 2025-04-09T11:20:43.114Z

Link: CVE-2025-32620

cve-icon Vulnrichment

Updated: 2025-04-17T18:07:50.472Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:47.053

Modified: 2026-04-23T15:29:13.503

Link: CVE-2025-32620

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:00:12Z

Weaknesses