[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fe--Ip2NAaIIFilHtrLJfwJUqlS_UZIOKU50oyKbY6YM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-32332","easy-form-missing-authorization-2","Easy Form \u003C= 2.7.9 - Missing Authorization","The Easy Form plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.7.9. This makes it possible for unauthenticated attackers to perform an unauthorized action.","easy-form",null,"\u003C=2.7.9","2.8.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-09 00:00:00","2026-04-15 21:00:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F89c199e0-c8ec-4867-b9b5-412a5603c46c?source=api-prod",66,[22,23,24,25,26,27],"admin\u002Fclass-ays-form-maker-admin.php","admin\u002Fjs\u002Fays-form-maker-admin.js","admin\u002Fjs\u002Fays-form-maker-general.js","easy-form.php","includes\u002Fclass-ays-form-maker.php","readme.txt","researched",false,3,"# Vulnerability Analysis: CVE-2026-32332\n\nThe **Easy Form** plugin (versions \u003C= 2.7.9) is vulnerable to **Missing Authorization**, allowing unauthenticated attackers to perform unauthorized actions. The vulnerability likely stems from a handler hooked to `admin_init` (which executes for all requests to `\u002Fwp-admin\u002Fadmin-ajax.php`, including unauthenticated ones) or a `wp_ajax_nopriv_` action that lacks a `current_user_can()` check.\n\nGiven the CVSS vector `CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N`, the impact is limited to **Integrity (Low)** with **No Confidentiality** impact. This suggests the unauthorized action involves modifying or deleting non-sensitive data (e.g., duplicating a form, deleting an entry, or resetting statistics) rather than exporting data.\n\n## Attack Vector Analysis\n\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php` (or potentially `\u002Fwp-admin\u002Fadmin-post.php`)\n- **Hook**: `admin_init` or `wp_ajax_nopriv_ays_form_admin_ajax`\n- **Vulnerable Action**: `ays_form_action` or `action` parameter triggers a sensitive method (e.g., `duplicate_form`) without authorization.\n- **Authentication**: None required (Unauthenticated).\n- **Preconditions**: A form","The Easy Form plugin for WordPress is vulnerable to unauthorized access because it registers the 'ays_form_admin_ajax' AJAX handler for unauthenticated users and fails to perform capability checks or nonce verification. This allows unauthenticated attackers to execute arbitrary methods within the Ays_Form_Maker_Admin class by specifying the method name in the 'function' request parameter.","\u002F\u002F includes\u002Fclass-ays-form-maker.php\n\u002F\u002F Registration of nopriv hook makes the handler accessible to unauthenticated users\n$this->loader->add_action( 'wp_ajax_ays_form_admin_ajax', $plugin_admin, 'ays_form_admin_ajax' );\n$this->loader->add_action( 'wp_ajax_nopriv_ays_form_admin_ajax', $plugin_admin, 'ays_form_admin_ajax' );\n\n---\n\n\u002F\u002F admin\u002Fclass-ays-form-maker-admin.php line 942\npublic function ays_form_admin_ajax() {\n    $response = array(\n        \"status\" => false\n    );\n    \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Recommended\n    $function = isset($_REQUEST['function']) ? sanitize_text_field( wp_unslash( $_REQUEST['_ajax_nonce'] ) ) : null;\n\n    if($function !== null){\n        $response = array();\n        if( is_callable( array( $this, $function ) ) ){\n            $response = $this->$function();\n\n            ob_end_clean();\n            $ob_get_clean = ob_get_clean();\n            echo json_encode( $response );\n            wp_die();\n        }\n    }\n    ob_end_clean();\n    $ob_get_clean = ob_get_clean();\n    echo json_encode( $response );\n    wp_die();\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feasy-form\u002F2.7.9\u002Fadmin\u002Fclass-ays-form-maker-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feasy-form\u002F2.8.0\u002Fadmin\u002Fclass-ays-form-maker-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feasy-form\u002F2.7.9\u002Fadmin\u002Fclass-ays-form-maker-admin.php\t2025-11-19 13:03:58.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feasy-form\u002F2.8.0\u002Fadmin\u002Fclass-ays-form-maker-admin.php\t2026-02-18 08:12:26.000000000 +0000\n@@ -942,20 +942,56 @@\n \t\t$response = array(\n \t\t\t\"status\" => false\n \t\t);\n+\n+\t\t\u002F\u002F Security Check 1: Verify user is logged in\n+\t\tif ( ! is_user_logged_in() ) {\n+\t\t\tob_end_clean();\n+\t\t\t$ob_get_clean = ob_get_clean();\n+\t\t\techo json_encode( $response );\n+\t\t\twp_die();\n+\t\t}\n+\n+\t\t\u002F\u002F Security Check 2: Verify nonce\n+\t\t\u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Recommended\n+\t\t$nonce = isset($_REQUEST['_ajax_nonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_ajax_nonce'] ) ) : '';\n+\t\tif ( ! wp_verify_nonce( $nonce, 'ays-form-maker-admin-ajax-nonce' ) ) {\n+\t\t\tob_end_clean();\n+\t\t\t$ob_get_clean = ob_get_clean();\n+\t\t\techo json_encode( $response );\n+\t\t\twp_die();\n+\t\t}\n+\n+\t\t\u002F\u002F Security Check 3: Verify user has admin capabilities\n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\tob_end_clean();\n+\t\t\t$ob_get_clean = ob_get_clean();\n+\t\t\techo json_encode( $response );\n+\t\t\twp_die();\n+\t\t}\n+\n+\t\t\u002F\u002F Get the function name from request\n \t\t\u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Recommended\n \t\t$function = isset($_REQUEST['function']) ? sanitize_text_field( wp_unslash( $_REQUEST['function'] ) ) : null;\n \n-\t\tif($function !== null){\n+\t\t\u002F\u002F Security Check 4: Whitelist allowed AJAX functions\n+\t\t$allowed_functions = array(\n+\t\t\t'ays_live_preivew_content',\n+\t\t\t'ays_form_entry_report',\n+\t\t\t'ays_form_add_form_template',\n+\t\t\t'deactivate_plugin_option',\n+\t\t\t'get_selected_posts'\n+\t\t);\n+\n+\t\tif ( $function !== null && in_array( $function, $allowed_functions, true ) && is_callable( array( $this, $function ) ) ) {\n \t\t\t$response = array();\n-\t\t\tif( is_callable( array( $this, $function ) ) ){\n-\t\t\t\t$response = $this->$function();\n+\t\t\t$response = $this->$function();\n \n-\t\t\t\tob_end_clean();\n-\t\t\t\t$ob_get_clean = ob_get_clean();\n-\t\t\t\techo json_encode( $response );\n-\t\t\t\twp_die();\n-\t\t\t}\n+\t\t\tob_end_clean();\n+\t\t\t$ob_get_clean = ob_get_clean();\n+\t\t\techo json_encode( $response );\n+\t\t\twp_die();\n \t\t}\n+\n \t\tob_end_clean();\n \t\t$ob_get_clean = ob_get_clean();\n \t\techo json_encode( $response );\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feasy-form\u002F2.7.9\u002Fincludes\u002Fclass-ays-form-maker.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feasy-form\u002F2.8.0\u002Fincludes\u002Fclass-ays-form-maker.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feasy-form\u002F2.7.9\u002Fincludes\u002Fclass-ays-form-maker.php\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feasy-form\u002F2.8.0\u002Fincludes\u002Fclass-ays-form-maker.php\n@@ -248,7 +248,7 @@\n \n \t\t\u002F\u002F Admin AJAX action\n \t\t$this->loader->add_action( 'wp_ajax_ays_form_admin_ajax', $plugin_admin, 'ays_form_admin_ajax' );\n-\t\t$this->loader->add_action( 'wp_ajax_nopriv_ays_form_admin_ajax', $plugin_admin, 'ays_form_admin_ajax' );\n+\t\t\u002F\u002F Note: Removed wp_ajax_nopriv_ hook for security - requires authentication","The exploit target is the `admin-ajax.php` endpoint. An attacker sends a POST or GET request with the `action` parameter set to `ays_form_admin_ajax`. By providing a `function` parameter, the attacker can force the server to execute any public method within the `Ays_Form_Maker_Admin` class. No authentication or valid nonces are required. For example, an attacker could attempt to manipulate plugin options by targeting `deactivate_plugin_option` or generate reports via `ays_form_entry_report`.","gemini-3-flash-preview","2026-04-21 02:58:28","2026-04-21 02:59:19",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","2.7.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-form\u002Ftags\u002F2.7.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feasy-form.2.7.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-form\u002Ftags\u002F2.8.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feasy-form.2.8.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-form\u002Ftags"]