Unauthorized Data Modification in Funnelforms Free Plugin for WordPress
CVE-2023-5386

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Interactive Contact Form And Multi Step Form Builder With Drag & Drop Editor – Funnelforms Free
Vendor: CVE Published:; 22 November 2023

Summary

The Funnelforms Free plugin for WordPress has a security flaw that allows authenticated users, with permissions as low as subscriber-level, to delete any post within the system. This vulnerability arises from a lack of necessary capability checks in the fnsf_delete_posts function, enabling potential attackers to compromise data integrity by deleting arbitrary posts, including those of administrators and other important content unrelated to the plugin itself. This issue highlights the critical importance of implementing robust security measures in plugin design to prevent unauthorized data manipulation.

Affected Version(s)

Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free * <= 3.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/2986938/funn...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 22, 2023
Vulnerability Reserved
Oct 4, 2023

Credit

Alex Thomas

Duc Manh