Ws Form Lite
Monthly
Missing capability check in WS Form LITE WordPress plugin before 1.11.8 allows any authenticated subscriber-level WordPress user to modify the plugin's settings, an action that should be restricted to administrators. The CVSS vector (PR:L) confirms low-privilege authentication is sufficient, and a publicly available proof-of-concept has been documented by WPScan. No active exploitation has been confirmed by CISA KEV, but the low barrier to exploitation and available POC make this a credible risk on multi-user WordPress installations where untrusted subscribers exist.
Missing capability check in WS Form LITE WordPress plugin before 1.11.8 allows any authenticated subscriber-level WordPress user to modify the plugin's settings, an action that should be restricted to administrators. The CVSS vector (PR:L) confirms low-privilege authentication is sufficient, and a publicly available proof-of-concept has been documented by WPScan. No active exploitation has been confirmed by CISA KEV, but the low barrier to exploitation and available POC make this a credible risk on multi-user WordPress installations where untrusted subscribers exist.