Description
Missing Authorization vulnerability in mmattax Formstack Online Forms formstack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Formstack Online Forms: from n/a through <= 2.0.2.
Published: 2025-12-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the mmattax Formstack Online Forms WordPress plugin is a missing authorization check that permits users without proper privileges to view or manipulate forms that are meant to be restricted. By exploiting this flaw, an attacker could potentially read sensitive data or alter form configurations, thereby compromising confidentiality and integrity of the site’s data.

Affected Systems

Systems running mmattax Formstack Online Forms version 2.0.2 or older are susceptible, as the flaw was present through all releases up to and including 2.0.2. Administrators should verify whether their installation falls within this version range.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not recorded in CISA’s KEV catalog, and no public exploit has been reported. Likely attack paths involve sending crafted requests to unprotected form endpoints or using exposed administrative URLs that bypass role checks, especially on sites where access control is incorrectly configured.

Generated by OpenCVE AI on April 29, 2026 at 13:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mmattax Formstack Online Forms to version 2.0.3 or newer to address the missing authorization check.
  • Review and enforce correct role‑based access controls in the plugin settings to ensure only authorized users can view or modify protected forms.
  • Audit existing form configurations for unintended public accessibility and restrict permissions as necessary.

Generated by OpenCVE AI on April 29, 2026 at 13:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in mmattax Formstack Online Forms formstack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Formstack Online Forms: from n/a through <= 2.0.2.
Title WordPress Formstack Online Forms plugin <= 2.0.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:55:34.170Z

Reserved: 2025-10-21T14:59:44.294Z

Link: CVE-2025-62738

cve-icon Vulnrichment

Updated: 2025-12-10T21:52:37.245Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:02.620

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-62738

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:45:12Z

Weaknesses