CVE-2024-1217

EUVD-2024-16984
The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the await_plugin_deactivation function in all versions up to, and including, 2.3.41. This makes it possible for authenticated attackers, with subscriber access or higher, to deactivate any active plugins.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.6 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
WordfenceCNA
7.6 HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
Affected Products (NVD)
VendorProductVersion
kaliformscontact_form_builder
𝑥
< 2.3.42
𝑥
= Vulnerable software versions
References
https://plugins.trac.wordpress.org/changeset/3036466/kali-forms/trunk?contextall=1&old=3029334&old_path=%2Fkali-forms%2Ftrunk
https://www.wordfence.com/threat-intel/vulnerabilities/id/7be75b0a-737d-4f0d-b024-e207af4573cd?source=cve
https://plugins.trac.wordpress.org/changeset/3036466/kali-forms/trunk?contextall=1&old=3029334&old_path=%2Fkali-forms%2Ftrunk
https://www.wordfence.com/threat-intel/vulnerabilities/id/7be75b0a-737d-4f0d-b024-e207af4573cd?source=cve