Price Manipulation Vulnerability in WPForms - Drag & Drop Form Builder
CVE-2024-3649
5.3MEDIUM
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 2 May 2024
Summary
The WPForms - Drag & Drop Form Builder plugin for WordPress suffers from a price manipulation vulnerability due to insufficient validation on key product parameters. This allows unauthenticated attackers to alter pricing, product information, and quantities during checkout processes involving Stripe payments. Users are strongly advised to update to the latest version to mitigate potential exploitation risks.
Affected Version(s)
Contact Form by WPForms – Drag & Drop Form Builder for WordPress * <= 1.8.7.2
References
CVSS V3.1
Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Asaf Mozes