Description
Missing Authorization vulnerability in BoldGrid weForms weforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects weForms: from n/a through <= 1.6.25.
Published: 2025-12-30
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a broken access control flaw in the BoldGrid weForms WordPress plugin. The plugin fails to enforce proper authorization when accessing certain management functions, allowing an attacker with any authenticated user role to perform actions that should be restricted, such as modifying form configurations and potentially accessing sensitive data. The weakness aligns with CWE‑862, indicating an improper authorization failure that could lead to unauthorized data manipulation and exposure.

Affected Systems

BoldGrid weForms plugin versions from an unspecified initial release up to and including 1.6.25 are affected. Any WordPress site that has installed 1.6.25 or earlier of this plugin is potentially vulnerable. This includes users who have not upgraded beyond version 1.6.25.

Risk and Exploitability

Based on the CVSS score of 5.3, the issue carries moderate risk. The EPSS score of less than 1% indicates the exploit probability is low. It is not present in CISA KEV, meaning it has not been observed in widespread exploitation campaigns. The vulnerability likely requires the attacker to log into WordPress with any user role, and then access management endpoints that are improperly protected, allowing them to modify forms or gain unauthorized data. No advanced prerequisites or zero‑day exploits are needed; exploitation is straightforward once access to the site is available.

Generated by OpenCVE AI on April 29, 2026 at 11:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the BoldGrid weForms plugin to version 1.6.26 or later to restore proper authorization checks.
  • After updating, review the plugin’s configuration and ensure that only authorized administrators have access to form management pages.
  • If an immediate update is not feasible, block unauthenticated or non‑administrator traffic to the plugin’s admin URLs using a web application firewall or server configuration to mitigate the risk until a patch can be applied.

Generated by OpenCVE AI on April 29, 2026 at 11:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 02 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in BoldGrid weForms weforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects weForms: from n/a through <= 1.6.25.
Title WordPress weForms plugin <= 1.6.25 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:33:56.672Z

Reserved: 2025-12-29T11:18:35.617Z

Link: CVE-2025-69028

cve-icon Vulnrichment

Updated: 2026-01-02T21:54:55.786Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T11:16:01.353

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69028

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:15:09Z

Weaknesses