Lucene search

K
cvelistWordfenceCVELIST:CVE-2023-6325
HistoryMay 23, 2024 - 4:30 a.m.

CVE-2023-6325 RomethemeForm For Elementor <= 1.1.5 - Missing Authorization via export_entries, rtformnewform, and rtformupdate

2024-05-2304:30:53
Wordfence
www.cve.org
cve-2023-6325
romethemeform
elementor
unauthorized access
data modification
wordpress
vulnerability
arbitrary form submissions
capability check

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.6%

The RomethemeForm For Elementor plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the export_entries, rtformnewform, and rtformupdate functions in all versions up to, and including, 1.1.5. This makes it possible for unauthenticated attackers to export arbitrary form submissions, create new forms, or update any post title or certain metadata.

CNA Affected

[
  {
    "vendor": "rometheme",
    "product": "RomethemeForm For Elementor",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.1.5",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.6%

Related for CVELIST:CVE-2023-6325