WordPress Plugin Vulnerabilities

Contact Form - Form builder by Kali Forms < 2.1.2 - Authenticated Plugin's Settings Change

Description

The kaliforms_update_option_ajax() AJAX action lacks capability and proper CSRF checks, allowing low privilege authenticated users to change or delete the plugin's settings.

Affects Plugins

Plugin icon
kali-forms
Fixed in 2.1.2

References

CVE
CVE-2020-36720
URL
https://blog.nintechnet.com/wordpress-kali-forms-plugin-fixed-multiple-vulnerabilities/

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Jerome Bruandet (nintechnet)
Verified
No
WPVDB ID
f784814e-6fba-44b3-83c3-ad554e244021

Timeline

Publicly Published
2020-08-21 (about 3 years ago)
Added
2020-08-21 (about 3 years ago)
Last Updated
2023-06-08 (about 11 months ago)

Other

Published
Title
Published
2021-01-28
Title
uListing < 1.7 - Unauthenticated Arbitrary Account Change
Published
2021-11-01
Title
Stylish Cost Calculator < 7.0.4 - Subscriber+ Unauthorised AJAX Calls to Stored XSS
Published
2024-02-07
Title
Simple Page Access Restriction < 1.0.23 - Improper Access Control to Sensitive Information Exposure via REST API
Published
2022-01-04
Title
Advanced Cron Manager - Subscriber+ Arbitrary Events/Schedules Creation/Deletion
Published
2021-10-05
Title
Simple Download Monitor < 3.9.6 - Arbitrary Thumbnails Removal