Ultra Addons For Wpforms
Monthly
Broken access control in Ultra Addons for WPForms (WordPress plugin by Themefic) through version 1.0.11 allows authenticated subscriber-level users to perform privileged actions beyond their intended role. The vulnerability stems from missing authorization checks (CWE-862), enabling a low-privilege attacker with only a subscriber account to manipulate plugin functionality in ways restricted to higher-privilege roles such as administrators or editors. With a CVSS 3.1 score of 6.4 Medium and a scope-changed vector, the impact extends beyond the plugin itself to affect WordPress site integrity and availability. No public exploit code and no confirmed active exploitation have been identified at time of analysis.
Broken access control in Ultra Addons for WPForms (WordPress plugin by Themefic) through version 1.0.11 allows authenticated subscriber-level users to perform privileged actions beyond their intended role. The vulnerability stems from missing authorization checks (CWE-862), enabling a low-privilege attacker with only a subscriber account to manipulate plugin functionality in ways restricted to higher-privilege roles such as administrators or editors. With a CVSS 3.1 score of 6.4 Medium and a scope-changed vector, the impact extends beyond the plugin itself to affect WordPress site integrity and availability. No public exploit code and no confirmed active exploitation have been identified at time of analysis.