CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9700 – Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.36.0 - Insecure Direct Object Reference to Submission Manipulation
https://notcve.org/view.php?id=CVE-2024-9700
30 Oct 2024 — The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.36.0 via the submit_quizzes() function due to missing validation on the 'entry_id' user controlled key. This makes it possible for unauthenticated attackers to modify other user's quiz submissions. El complemento Forminator Forms – Contact Form, Payment Form & Custom Form Builder para WordPress es vulnerable a una referenci... • https://plugins.trac.wordpress.org/browser/forminator/tags/1.35.1/library/modules/quizzes/front/front-action.php#L548 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10402 – Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 - Missing Authorization to Authenticated (Contributor+) Form Update and Creation
https://notcve.org/view.php?id=CVE-2024-10402
25 Oct 2024 — The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.35.1. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to create new or edit existing forms, including updating the default registration role to Administrator on User Registration forms. • https://plugins.trac.wordpress.org/changeset/3169243 • CWE-862: Missing Authorization •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9351 – Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 - Cross-Site Request Forgery to Draft Quiz Creation
https://notcve.org/view.php?id=CVE-2024-9351
16 Oct 2024 — The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the quiz 'create_module' function. This makes it possible for unauthenticated attackers to create draft quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Forminator Forms – Contact ... • https://plugins.trac.wordpress.org/browser/forminator/tags/1.35.0/library/modules/quizzes/admin/admin-loader.php#L719 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9352 – Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 - Cross-Site Request Forgery to Draft Custom Form Creation
https://notcve.org/view.php?id=CVE-2024-9352
16 Oct 2024 — The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the custom form 'create_module' function. This makes it possible for unauthenticated attackers to create draft forms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Forminator Forms – Con... • https://plugins.trac.wordpress.org/browser/forminator/tags/1.35.0/library/modules/custom-forms/admin/admin-loader.php#L418 • CWE-352: Cross-Site Request Forgery (CSRF) •