CVE-2023-5385 in Funnelforms Free Plugininfo

Summary

by MITRE • 11/22/2023

The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_copy_posts function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to create copies of arbitrary posts.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/11/2026

The Funnelforms Free plugin for WordPress presents a critical authorization vulnerability that undermines the integrity of content management systems. This weakness exists within the plugin's fnsf_copy_posts function where proper capability checks are entirely absent, creating a pathway for unauthorized data manipulation. The vulnerability affects all versions up to and including 3.4, making it a widespread concern for WordPress installations that rely on this plugin for form management and funnel creation. The flaw specifically targets the permission model of WordPress by failing to validate whether users possess sufficient privileges before allowing post duplication operations.

The technical implementation of this vulnerability stems from the absence of capability validation within the fnsf_copy_posts function which should require administrative or editorial privileges to duplicate content. Attackers with subscriber-level access or higher can exploit this oversight to create copies of any post within the WordPress installation, effectively bypassing the intended access controls. This missing capability check represents a direct violation of the principle of least privilege, where users should only be able to perform actions commensurate with their assigned roles. The vulnerability operates at the application layer and requires only authenticated access, making it particularly dangerous as it can be exploited by users who should not have the ability to modify content beyond their designated permissions.

The operational impact of this vulnerability extends beyond simple data duplication and creates significant risks for content integrity and potential data exfiltration. An attacker with subscriber privileges could copy sensitive posts, potentially including private content, user information, or proprietary business data, and then modify these copies to serve malicious purposes. The ability to create arbitrary post copies also enables attackers to manipulate the content hierarchy, potentially causing confusion in content management systems or serving as a vector for more sophisticated attacks. This vulnerability aligns with CWE-284, which addresses improper access control, and represents a clear violation of the access control mechanisms that WordPress implements to protect content and user data.

Organizations affected by this vulnerability should immediately implement mitigations including updating to the latest plugin version where the capability check has been properly implemented. The recommended approach involves verifying that the fnsf_copy_posts function now includes proper capability validation using WordPress's built-in functions such as current_user_can() to ensure only users with appropriate permissions can execute post duplication operations. Additionally, administrators should conduct thorough audits of user roles and permissions to identify any potential unauthorized access that may have occurred before the patch was applied. This vulnerability demonstrates the critical importance of proper input validation and capability checks in web applications, particularly those handling content management functions. The issue also relates to ATT&CK technique T1078 which covers valid accounts and privilege escalation, as attackers can leverage existing accounts to gain expanded capabilities through poorly implemented access controls. Organizations should also consider implementing additional monitoring of content creation and modification activities to detect unauthorized post duplication attempts and maintain comprehensive audit trails for security incident response.

Responsible

Wordfence

Reservation

10/04/2023

Disclosure

11/22/2023

Moderation

accepted

CPE

ready

EPSS

0.00395

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!