Flowforms Conversational Form Builder
Monthly
Insecure Direct Object Reference in the FlowForms - Conversational Form Builder WordPress plugin (all versions through 1.1.1) allows authenticated contributors to modify, publish, or revert any form on the site - including forms owned by administrators - by supplying an arbitrary form ID to the unvalidated REST API update_form endpoint. Wordfence reported this flaw, and a fix changeset exists in the WordPress plugin SVN repository, though an explicit patched release version is not independently confirmed. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.
Insecure Direct Object Reference in the FlowForms - Conversational Form Builder WordPress plugin (all versions through 1.1.1) allows authenticated contributors to modify, publish, or revert any form on the site - including forms owned by administrators - by supplying an arbitrary form ID to the unvalidated REST API update_form endpoint. Wordfence reported this flaw, and a fix changeset exists in the WordPress plugin SVN repository, though an explicit patched release version is not independently confirmed. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.