CVE-2023-5386

Name of the Vulnerable Software and Affected Versions Funnelforms Free plugin for WordPress versions up to and including 3.4

Description The issue allows authenticated attackers with subscriber-level permissions and above to modify data without proper authorization. This is due to a missing capability check on the fnsf delete posts function, enabling them to delete arbitrary posts, including those of administrators and posts unrelated to the Funnelforms Free plugin.

Recommendations For versions up to and including 3.4, consider disabling the fnsf delete posts function until a patch is available to prevent unauthorized post deletion. Restrict access to the Funnelforms Free plugin's functionality to minimize the risk of exploitation.