CVE-2024-10402

Name of the Vulnerable Software and Affected Versions The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress versions up to, and including, 1.35.1

Description The issue arises from a missing capability check on a function, allowing authenticated attackers with Contributor-level access and above, and permissions granted by an Administrator, to create new or edit existing forms. This includes the ability to update the default registration role to Administrator on User Registration forms.

Recommendations For versions up to, and including, 1.35.1, update to a version higher than 1.35.1 to resolve the issue. As a temporary workaround, consider restricting access to the form editing functionality to prevent unauthorized modifications until a patch is available.