Vijaysimha Reddy

**Name of the Vulnerable Software and Affected Versions** Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress versions up to and including 7.8.5 **Description** The issue is related to unauthorized form submissions due to a missing capability check on the `submit form()` function. This allows unauthenticated attackers to submit unpublished forms. **Recommendations** For versions up to and including 7.8.5, consider disabling the `submit form()` function until a patch is available to prevent unauthorized form submissions. Update to a version later than 7.8.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress versions up to, and including, 7.8.5 **Description** The issue is related to unauthorized access of data due to a missing capability check on the `preview module()` function. This allows authenticated attackers with Subscriber-level access and above to view unpublished forms. **Recommendations** For versions up to, and including, 7.8.5, update to a version that includes a fix for the missing capability check in the `preview module()` function. As a temporary workaround, consider restricting access to the `preview module()` function to prevent unauthorized viewing of unpublished forms.

**Name of the Vulnerable Software and Affected Versions** Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress versions up to, and including, 1.36.0 **Description** The issue is related to Insecure Direct Object Reference, which allows unauthenticated attackers to modify other users' quiz submissions due to missing validation on the `entry id` user-controlled key. This is possible via the `submit quizzes()` function. **Recommendations** For versions up to, and including, 1.36.0, update to a version that includes a fix for this issue. As a temporary workaround, consider disabling the `submit quizzes()` function until a patch is available. Restrict access to the `entry id` key to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress versions up to, and including, 1.35.1 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `create module` function. This allows unauthenticated attackers to create draft quizzes via a forged request if they can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 1.35.1, update to a version that includes the fix for the missing or incorrect nonce validation on the `create module` function. As a temporary workaround, consider restricting access to the quiz creation functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress versions up to, and including, 1.35.1 **Description** The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the custom form `create module` function. This allows unauthenticated attackers to create draft forms via a forged request if they can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 1.35.1, update to a version that includes the fix for the missing or incorrect nonce validation in the `create module` function. As a temporary workaround, consider restricting access to the custom form builder to minimize the risk of exploitation.