Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network-accessible settings endpoint, no interaction needed, but subscriber-level auth required (PR:L); only plugin settings integrity is affected, no confidentiality or availability impact.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
The WS Form LITE WordPress plugin before 1.11.8 does not have a capability check on one of its settings-update actions, allowing authenticated users with subscriber-level access and above to modify the WS Form LITE WordPress plugin before 1.11.8's settings.
AnalysisAI
Missing capability check in WS Form LITE WordPress plugin before 1.11.8 allows any authenticated subscriber-level WordPress user to modify the plugin's settings, an action that should be restricted to administrators. The CVSS vector (PR:L) confirms low-privilege authentication is sufficient, and a publicly available proof-of-concept has been documented by WPScan. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress account at subscriber level or above - PR:L in the CVSS vector confirms this. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.3 (Medium) reflects the limited scope: network-accessible (AV:N), low complexity (AC:L), requires low-privilege authentication (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or availability impact (C:N, A:N), and only partial integrity impact (I:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or logs in as a subscriber on a WordPress site running WS Form LITE before 1.11.8 - a plausible step on any site with open user registration or a membership model. Using the publicly available POC, the attacker sends a crafted HTTP request to the plugin's settings-update endpoint without administrator credentials, successfully modifying plugin configuration (e.g., altering form submission behavior, notification settings, or storage options). … |
| Remediation | Vendor-released patch: upgrade WS Form LITE to version 1.11.8 or later, which introduces the missing capability check on the affected settings-update action. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40915
GHSA-44m6-x3f3-q98j