CVE-2024-9700

Name of the Vulnerable Software and Affected Versions Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress versions up to, and including, 1.36.0

Description The issue is related to Insecure Direct Object Reference, which allows unauthenticated attackers to modify other users' quiz submissions due to missing validation on the entry id user-controlled key. This is possible via the submit quizzes() function.

Recommendations For versions up to, and including, 1.36.0, update to a version that includes a fix for this issue. As a temporary workaround, consider disabling the submit quizzes() function until a patch is available. Restrict access to the entry id key to minimize the risk of exploitation.