Lifecycle Timeline
2DescriptionNVD
Missing Authorization vulnerability in August Infotech Multi-language Responsive Contact Form responsive-contact-form allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Multi-language Responsive Contact Form: from n/a through <= 2.8.
AnalysisAI
August Infotech's Multi-language Responsive Contact Form WordPress plugin up to version 2.8 fails to properly enforce access controls, allowing unauthenticated attackers to access administrative functionality that should be restricted by role-based access control lists. The missing authorization checks enable unauthorized users to perform actions intended only for administrators, as evidenced by the CWE-862 classification and authentication bypass tag. EPSS scoring (0.07%) indicates low exploitation probability in the wild, but the vulnerability represents a direct authorization failure affecting a widely-distributed WordPress plugin.
Technical ContextAI
The vulnerability exists in the Multi-language Responsive Contact Form plugin, a WordPress component designed to provide multilingual contact form functionality. The root cause is classified as CWE-862 (Missing Authorization), which describes a failure to implement proper access control mechanisms when an application grants functionality access without verifying whether the user has appropriate permissions. In a WordPress context, this typically means admin-level AJAX actions or form-processing endpoints are not checking user roles (via current_user_can() or equivalent capability functions) before executing privileged operations. The plugin's form handling and contact management features likely expose administrative operations to any HTTP request, including those from unauthenticated visitors or low-privilege users. CPE identification confirms this affects the WordPress plugin ecosystem (responsive-contact-form plugin by August Infotech).
Affected ProductsAI
August Infotech Multi-language Responsive Contact Form WordPress plugin version 2.8 and all earlier versions are affected. The vulnerability has been confirmed through security audit by Patchstack and is tracked in the Patchstack vulnerability database for the responsive-contact-form plugin. No specific lower version bound is documented, so all versions from the plugin's inception through 2.8 should be considered vulnerable. Additional version information and vendor advisory details are available at https://patchstack.com/database/Wordpress/Plugin/responsive-contact-form/vulnerability/wordpress-multi-language-responsive-contact-form-2-8-broken-access-control-vulnerability.
RemediationAI
Upgrade August Infotech Multi-language Responsive Contact Form to a version newer than 2.8 immediately; users should check the plugin repository or the Patchstack advisory for the minimum fixed version number (not independently confirmed from available references). The primary remediation is to apply the vendor patch by updating the plugin through the WordPress dashboard (Plugins > Installed Plugins > responsive-contact-form > Update if available). In the interim, site administrators should disable the plugin entirely if a patched version is not yet available, as the authorization bypass is trivial to exploit once discovered and may already be in use by opportunistic attackers. Review WordPress user roles and capabilities to ensure no unexpected account privilege escalations have occurred. Additional details and patch status are available at https://patchstack.com/database/Wordpress/Plugin/responsive-contact-form/vulnerability/wordpress-multi-language-responsive-contact-form-2-8-broken-access-control-vulnerability.
Share
External POC / Exploit Code
Leaving vuln.today