Forms Rb WordPress Plugin Authorization Bypass Vulnerability Allowing Arbitrary Modification

A vulnerability exists in the Forms Rb plugin for WordPress, affecting all versions up to and including 1.1.9. The issue stems from the plugin's failure to properly verify user authorization, allowing authenticated attackers with contributor-level access or higher to bypass restrictions. Exploitation of this vulnerability enables these users to read form submission records, modify form configuration options, and delete records from any form they do not personally own.

Impact

Exploitation of this vulnerability could lead to unauthorized access to form submission data, unauthorized modifications of form settings, and the ability to delete form records from other users, potentially causing data loss.

Reproduction

To reproduce this vulnerability, an authenticated user with contributor-level access or higher can send requests to the WordPress REST API endpoints associated with the Forms Rb plugin. The absence of proper authorization checks allows these users to manipulate form records and settings arbitrarily, including deleting records from forms they do not own.

Remediation

No known patch is available for this vulnerability. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.