CVE-2023-5386 in Funnelforms Free Plugininfo

Summary

by MITRE • 11/22/2023

The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_posts function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts, including administrator posts, and posts not related to the Funnelforms Free plugin. CVE-2023-5990 appears to be a duplicate of this issue.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/11/2026

The vulnerability identified as CVE-2023-5386 affects the Funnelforms Free plugin for WordPress, representing a critical authorization flaw that undermines the platform's security model. This issue stems from a missing capability check within the fnsf_delete_posts function, which operates without proper permission validation. The flaw exists in plugin versions up to and including 3.4, making it a persistent threat across multiple releases. The vulnerability's impact extends beyond typical plugin boundaries, as it allows authenticated users with subscriber-level permissions or higher to manipulate posts indiscriminately, creating a significant risk for content integrity and system security.

The technical implementation of this vulnerability demonstrates a clear failure in access control mechanisms, specifically lacking proper capability verification before executing destructive operations. The absence of authorization checks in the fnsf_delete_posts function means that any authenticated user can invoke the deletion functionality regardless of their role or the posts they attempt to modify. This design flaw directly violates fundamental security principles and creates a privilege escalation path that enables attackers to target posts beyond their intended scope. The vulnerability's scope includes not only posts related to the Funnelforms plugin but also arbitrary posts within the WordPress installation, including those created by administrators and other users.

From an operational standpoint, this vulnerability creates substantial risk for WordPress administrators and content creators who rely on the platform's security model. Attackers with minimal privileges can exploit this weakness to delete critical content, disrupt workflows, and potentially cause data loss that could require extensive recovery efforts. The impact extends to business continuity, as unauthorized deletion of posts can compromise marketing campaigns, important announcements, or other essential content. The vulnerability's persistence across multiple versions suggests inadequate security testing during development and release cycles, indicating potential gaps in quality assurance processes.

The security implications of this vulnerability align with CWE-284, which addresses improper access control issues, and can be mapped to ATT&CK technique T1485 within the context of data destruction and system compromise. Organizations using the affected plugin version face potential reputational damage and regulatory compliance risks, particularly in environments where content integrity and audit trails are critical. The vulnerability's classification as an authorization flaw means that it could be leveraged as part of broader attack chains, potentially enabling additional exploitation vectors such as data exfiltration or service disruption.

Effective mitigation strategies must prioritize immediate plugin updates to versions that address the capability check deficiency. Administrators should conduct comprehensive security audits to identify and remediate similar authorization gaps across other installed plugins and themes. The implementation of additional monitoring mechanisms for post deletion activities can help detect unauthorized operations and provide early warning of potential exploitation attempts. Regular security assessments and vulnerability scanning should be integrated into operational procedures to identify and remediate similar access control issues before they can be exploited by malicious actors. Organizations should also consider implementing role-based access controls and principle of least privilege configurations to minimize the impact of potential authorization bypasses.

Responsible

Wordfence

Reservation

10/04/2023

Disclosure

11/22/2023

Moderation

accepted

CPE

ready

EPSS

0.00408

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!