CVE-2024-1945

EUVD-2024-17666
The Contact Form, Survey & Popup Form Plugin for WordPress –  ARForms Form Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'arflite_remove_preview_data' function in all versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber access and above, to delete arbitrary site options, resulting in loss of availability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
WordfenceCNA
7.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
References
https://plugins.trac.wordpress.org/browser/arforms-form-builder/tags/1.6.3/core/controllers/arfliteformcontroller.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/026f8d9b-a66b-4a59-8375-fba587a4eef7?source=cve
https://plugins.trac.wordpress.org/browser/arforms-form-builder/tags/1.6.3/core/controllers/arfliteformcontroller.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/026f8d9b-a66b-4a59-8375-fba587a4eef7?source=cve