Impact
The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before version 2.1.1 contains a flaw that allows an unauthenticated visitor to create a new WordPress user account with administrative privileges. The plugin does not enforce role restrictions when generating users from public form submissions, and if a role mapping is configured to a public form field it can be tricked into assigning the administrator role. This results in full control of the site without the need for initial authentication.
Affected Systems
This vulnerability affects any WordPress installation running the Advanced Form Integration — Connect Forms to 200+ Apps plugin at a version earlier than 2.1.1. The affected product is the WordPress plugin component of the vendor Advanced Form Integration, and the issue is tied to configurations that map a role to a public form field.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity vulnerability. Exploitation requires an attacker to submit a crafted form payload to an enabled integration that maps a role field to a public form field, a scenario that is relatively straightforward once the correct configuration is identified. The exploit is unauthenticated, enabling privilege escalation that compromises site confidentiality, integrity, and availability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, so the exploitation probability is unknown but considered significant because of the simplicity of the attack path.
OpenCVE Enrichment