CVE-2024-10402

HIGH

Forminator Forms < 1.35.1 - Authenticated Missing Authorization in Form Management

Title source: llm
STIX 2.1

Description

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.35.1. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to create new or edit existing forms, including updating the default registration role to Administrator on User Registration forms.

Scores

CVSS v3 7.5
EPSS 0.0051
EPSS Percentile 39.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-862
Status published
Products (2)
wpmudev/Forminator Forms – Contact Form, Payment Form & Custom Form Builder < 1.35.1
wpmudev/forminator_forms < 1.36.0
Published Oct 26, 2024
Tracked Since Feb 18, 2026