Vedrixa Forms WordPress Plugin Authorization Bypass Vulnerability Allowing Arbitrary Form Modifications

A vulnerability exists in the Vedrixa Forms WordPress plugin, specifically in versions up to and including 1.1.1. The issue stems from a lack of proper authorization checks, allowing authenticated users with subscriber-level access or higher to bypass restrictions and modify form structures. This includes the ability to add, remove, or alter fields on any form by submitting user-controlled data to the plugin's FORMS database table. The vulnerability is facilitated by the 'ajax-nonce' nonce, which is exposed on the public frontend and can be accessed by any authenticated user without elevated permissions.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of form structures, allowing attackers to manipulate form fields and potentially disrupt form functionality or data collection processes.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can visit a page containing a Vedrixa Forms shortcode. The user can then use the 'wefb_save_form_structure' AJAX action to submit changes to any form, including adding, removing, or altering fields. This can be done by crafting a request that includes the desired modifications and the 'ajax-nonce' nonce, which is readily available on the page.

Remediation

Users are advised to update the Vedrixa Forms WordPress plugin to version 1.2.0 or later, where this vulnerability has been patched.