Advanced Form Integration
Monthly
Broken Access Control in the Advanced Form Integration WordPress plugin (versions ≤ 1.126.12) allows authenticated subscriber-level users to perform privileged actions that should be restricted to administrators, due to missing authorization checks (CWE-862). The flaw carries a CVSS 3.1 score of 6.5 with high integrity impact (I:H), meaning a low-privilege attacker can substantially alter plugin or form integration configurations. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity and broad applicability to any multi-user or open-registration WordPress site make this a meaningful operational risk.
The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Broken Access Control in the Advanced Form Integration WordPress plugin (versions ≤ 1.126.12) allows authenticated subscriber-level users to perform privileged actions that should be restricted to administrators, due to missing authorization checks (CWE-862). The flaw carries a CVSS 3.1 score of 6.5 with high integrity impact (I:H), meaning a low-privilege attacker can substantially alter plugin or form integration configurations. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity and broad applicability to any multi-user or open-registration WordPress site make this a meaningful operational risk.
The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.