CVE-2024-0370 in Views for WPForms Plugin
Summary
by MITRE • 02/06/2024
The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to modify the titles of arbitrary posts.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified as CVE-2024-0370 affects the Views for WPForms plugin, a WordPress extension designed to display and edit WPForms entries on website frontends. This plugin enables users to create custom views of form submissions and manage them through frontend interfaces. The security flaw resides within the plugin's 'save_view' function which fails to implement proper capability verification before allowing data modification operations. This represents a critical authorization bypass vulnerability that undermines the plugin's security model and exposes WordPress sites to potential data integrity compromises.
The technical implementation of this vulnerability stems from the absence of capability checks within the save_view function, which is responsible for processing and saving view configurations. According to CWE-863, this manifests as an "Incorrect Authorization" vulnerability where the system fails to verify that the requesting user possesses the necessary privileges to perform the requested operation. The flaw specifically allows authenticated users with subscriber-level permissions or higher to manipulate post titles through the plugin's interface, bypassing normal WordPress access control mechanisms that should restrict such modifications to users with appropriate capabilities like editors or administrators.
The operational impact of this vulnerability extends beyond simple data modification as it creates a persistent security risk for WordPress installations using the affected plugin version. Attackers with subscriber accounts can exploit this weakness to alter post titles, potentially disrupting site content management, manipulating search engine results, or creating confusion among site visitors. The vulnerability affects all versions up to and including 3.2.2, indicating a widespread exposure across numerous installations that have not yet received the necessary security patch. This unauthorized modification capability can be leveraged to conduct data integrity attacks, potentially leading to more severe consequences when combined with other vulnerabilities or when used in conjunction with social engineering tactics.
Organizations and WordPress administrators should immediately implement mitigation strategies to address this vulnerability. The primary recommendation involves updating the Views for WPForms plugin to the latest version where the capability check has been properly implemented. Additionally, administrators should review user roles and permissions to ensure that only trusted users have subscriber-level access or higher. Implementing network monitoring solutions can help detect unauthorized modifications to content, while maintaining updated security tooling such as web application firewalls and intrusion detection systems provides additional layers of protection. This vulnerability aligns with ATT&CK technique T1078.004 which covers "Valid Accounts: Cloud Accounts" and demonstrates how insufficient access controls can enable privilege escalation through legitimate user accounts, making it essential to enforce principle of least privilege and proper capability validation throughout WordPress plugin ecosystems.