CVE-2024-0372 in Views for WPForms Plugininfo

Summary

by MITRE • 02/06/2024

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_form_fields' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to create form views.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/11/2026

The vulnerability identified as CVE-2024-0372 affects the Views for WPForms plugin, a WordPress extension that enables users to display and edit WPForms entries on the frontend of websites. This plugin serves as a bridge between WPForms form data and frontend presentation, allowing administrators to create custom views of form submissions. The flaw resides in the 'get_form_fields' function which fails to properly validate user capabilities before executing sensitive operations. This represents a critical authorization bypass vulnerability that undermines the plugin's security model and exposes sensitive data handling mechanisms to unauthorized access.

The technical implementation of this vulnerability stems from a missing capability check within the plugin's codebase. Specifically, the 'get_form_fields' function does not verify whether the requesting user possesses sufficient privileges to access the form field data being retrieved. This function operates without proper authentication validation, allowing any authenticated user account with subscriber-level permissions or higher to invoke the function and potentially access form data that should be restricted to administrators or form owners. The vulnerability exists across all plugin versions up to and including 3.2.2, indicating a persistent flaw in the plugin's access control implementation that has remained unaddressed for an extended period.

The operational impact of this vulnerability extends beyond simple data exposure to encompass potential compromise of user privacy and sensitive information collection. Attackers with subscriber-level access can leverage this vulnerability to create form views that reveal data from forms they should not be authorized to access. This capability allows for the construction of malicious views that can aggregate, filter, or present form submissions in ways that violate data protection principles and user expectations. The vulnerability particularly affects websites that collect personal information, financial data, or other sensitive content through WPForms, as it enables unauthorized access to potentially confidential submission data that could be used for identity theft, financial fraud, or other malicious activities.

This vulnerability maps directly to CWE-285, which addresses improper authorization in software systems, and aligns with ATT&CK technique T1078.004 for valid accounts, as it allows attackers to escalate privileges through legitimate user accounts. The flaw demonstrates poor principle of least privilege implementation where the plugin fails to enforce proper access controls for sensitive operations. Organizations using this plugin should immediately update to the latest version to remediate the vulnerability, as the lack of capability checking represents a fundamental security flaw in the plugin's architecture. Security practitioners should also conduct thorough audits of their WordPress installations to identify any other plugins with similar authorization bypass issues and implement additional monitoring for suspicious activity related to form data access patterns. The vulnerability underscores the importance of proper capability validation in web applications and serves as a reminder that even seemingly minor functions can create significant security risks when proper access controls are omitted.

Responsible

Wordfence

Reservation

01/09/2024

Disclosure

02/06/2024

Moderation

accepted

CPE

ready

EPSS

0.00359

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!