CVE-2023-5382 in Funnelforms Free Plugininfo

Summary

by MITRE • 11/22/2023

The Funnelforms Free plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4. This is due to missing or incorrect nonce validation on the fnsf_delete_posts function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/11/2026

The Funnelforms Free plugin for WordPress represents a widely used tool for creating and managing lead generation forms within wordpress environments. This particular vulnerability affects versions up to and including 3.4, making it a significant concern for wordpress administrators who have not yet updated their installations. The plugin's functionality revolves around managing form submissions and associated content, which makes it a potential target for attackers seeking to disrupt website operations or compromise user data. The vulnerability specifically resides within the fnsf_delete_posts function, which handles the deletion of posts created through the plugin's interface.

The core technical flaw stems from the absence of proper nonce validation within the fnsf_delete_posts function. Nonces serve as critical security mechanisms in wordpress applications by generating time-sensitive tokens that verify the authenticity of requests originating from legitimate administrative actions. Without proper nonce validation, the plugin fails to distinguish between authorized administrative deletions and malicious forged requests. This weakness creates a direct pathway for cross-site request forgery attacks where attackers can craft malicious requests that appear to originate from legitimate administrative sessions. The vulnerability's classification aligns with CWE-352, which specifically addresses Cross-Site Request Forgery vulnerabilities in web applications.

The operational impact of this vulnerability extends beyond simple post deletion, as it provides attackers with the ability to manipulate the website's content in potentially harmful ways. An unauthenticated attacker who successfully tricks an administrator into clicking a malicious link could execute unauthorized deletions of posts, pages, or other content generated through the plugin. This could result in data loss, disruption of lead generation processes, or even compromise of the website's overall integrity. The vulnerability's exploitability is heightened by the fact that it requires minimal user interaction from the administrator, relying instead on social engineering techniques to deliver malicious payloads. This makes it particularly dangerous in environments where administrators may not be fully aware of the security implications of clicking unknown links.

Mitigation strategies for this vulnerability primarily focus on immediate plugin updates to versions that address the nonce validation issue. System administrators should prioritize updating the Funnelforms Free plugin to the latest available version that contains the security patch. Additionally, implementing additional security measures such as restricting administrative access to trusted networks, enabling two-factor authentication, and conducting regular security audits of installed plugins can significantly reduce the risk of exploitation. The ATT&CK framework categorizes this vulnerability under T1566, which covers phishing techniques used to gain initial access, while also relating to T1499 which involves data destruction and tampering. Organizations should also consider implementing web application firewalls and monitoring for suspicious administrative activities to detect potential exploitation attempts. Regular security assessments and maintaining updated security baselines are essential practices to prevent similar vulnerabilities from compromising wordpress installations.

Responsible

Wordfence

Reservation

10/04/2023

Disclosure

11/22/2023

Moderation

accepted

CPE

ready

EPSS

0.00306

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!