Contact Form by WPForms <= 1.9.9.3 - Missing Authorization
Description
The Contact Form by WPForms plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.9.9.3. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.9.9.3What Changed in the Fix
Changes introduced in v1.9.9.4
Source Code
WordPress.org SVNcheck`. Maybe in `1.9.9.3`, the `permission_callback` for `/themes/custom/` was `permissions_check` (Contributor) by mistake? The prompt says version `1.9.9.3` is vulnerable. If the provided code is `1.9.9.3`, and it has `admin_permissions_check`, then maybe that's not it. …
Show full research plan
check. Maybe in 1.9.9.3, the permission_callbackfor/themes/custom/waspermissions_check(Contributor) by mistake? The prompt says version1.9.9.3is vulnerable. If the provided code is1.9.9.3, and it has admin_permissions_check`, then maybe that's not it.
* *Wait!* Look at the JS in `assets/js/admin/education/edit-post.es5.min.js`:
```javascript
updateUserMeta: function() {
s.post(wpforms_edit_post_education.ajax_url, {
action: "wpforms_education_dismiss",
nonce: wpforms_edit_post_education.education_nonce,
section: "edit-post-notice"
})
}
```
The AJAX action is `wpforms_education_dismiss`.
The nonce is `wpforms-education`.
Search for this action in WPForms 1.9.9.3.
In `src/Admin/Education/Ajax.php` (which we don't have, but we can assume), the `dismiss` method is registered.
The vulnerability is that it lacks a capability check like `current_user_can( 'wpforms_manage_options' )`.
* **Wait, I found the patch details
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.