CVE-2024-0371 in Views for WPForms Plugininfo

Summary

by MITRE • 02/06/2024

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'create_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to create form views.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/11/2026

The vulnerability identified as CVE-2024-0371 affects the Views for WPForms plugin, a WordPress extension that enables users to display and edit WPForms entries on the frontend of websites. This plugin serves as a bridge between WPForms form functionality and frontend user interfaces, allowing for more dynamic content presentation and interaction. The flaw resides in the plugin's authorization mechanism within the 'create_view' function, which fails to properly verify user permissions before permitting view creation operations. This represents a significant security weakness that undermines the principle of least privilege and proper access control within WordPress environments.

The technical nature of this vulnerability stems from the absence of capability checks within the plugin's codebase, specifically in the create_view function that handles form view creation. According to CWE-284, this manifests as an improper access control vulnerability where the system fails to properly enforce authorization requirements. The flaw allows authenticated users with subscriber-level privileges or higher to bypass normal permission boundaries and create form views that should typically be restricted to administrators or users with explicit form management permissions. This missing authorization check creates an exploitable path where attackers can leverage their existing access to perform unauthorized modifications to the website's form presentation layer.

The operational impact of this vulnerability extends beyond simple privilege escalation, as it enables attackers to manipulate how forms are displayed and interacted with on the frontend of WordPress sites. Subscribers and users with higher roles can create malicious views that might redirect form submissions, alter form fields, or present misleading information to other users. This capability creates potential for data manipulation, social engineering attacks, and can significantly compromise the integrity of form-based data collection processes. The vulnerability affects all plugin versions up to and including 3.2.2, meaning that any WordPress installation using this plugin within the affected version range is potentially compromised. According to ATT&CK framework technique T1078.004, this vulnerability enables credential abuse and privilege escalation through application-specific weaknesses, while T1566.001 relates to the exploitation of web applications for unauthorized data modification.

Mitigation strategies should focus on immediate remediation through plugin updates to versions that address the capability check deficiency. Administrators should also implement additional security measures such as role-based access controls, regular security audits of user permissions, and monitoring for unauthorized view creation activities. The WordPress security community recommends that all users upgrade to the latest available version of the Views for WPForms plugin immediately upon release of a patched version. Additional defensive measures include implementing web application firewalls, restricting user roles to minimal necessary permissions, and conducting regular penetration testing to identify similar authorization gaps in custom plugins and themes. Organizations should also consider implementing automated monitoring solutions that can detect suspicious activities related to form view creation and alert security teams to potential exploitation attempts.

Responsible

Wordfence

Reservation

01/09/2024

Disclosure

02/06/2024

Moderation

accepted

CPE

ready

EPSS

0.00428

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!