CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33593 – WordPress Smart Forms plugin <= 2.6.91 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-33593
Missing Authorization vulnerability in RedNao Smart Forms.This issue affects Smart Forms: from n/a through 2.6.91. Vulnerabilidad de falta de autorización en RedNao Smart Forms. Este problema afecta a Smart Forms: desde n/a hasta 2.6.91. The Smart Forms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rednao_smart_forms_dont_show_again() function in versions up to, and including, 2.6.91. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss notices. • https://patchstack.com/database/vulnerability/smart-forms/wordpress-smart-forms-plugin-2-6-91-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49856 – Smart Forms <= 2.6.84 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2023-49856
The Smart Forms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the smart_forms_save_settings() function hooked via AJAX in versions up to, and including, 2.6.84. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options which can be used for remote code execution. • CWE-862: Missing Authorization •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8803 – Smart Forms – when you need more than just a contact form <= 2.1.0 - Missing Authorization
https://notcve.org/view.php?id=CVE-2014-8803
The Smart Forms – when you need more than just a contact form plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the rednao_smart_forms_save_form_values function in versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to edit forms, including entering stored cross-site scripting, as output is not properly escaped. • CWE-862: Missing Authorization •