CVE-2023-7203

CWE-352Cross-Site Request Forgery (CSRF)CWE-862Missing Authorization3 documents3 sources
Severity
6.1MEDIUM
EPSS
0.2%
top 59.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Smart FormsRednao Smart Forms
Timeline
PublishedFeb 27

Description

The Smart Forms WordPress plugin before 2.6.87 does not have authorisation in various AJAX actions, which could allow users with a role as low as subscriber to call them and perform unauthorised actions such as deleting entries. The plugin also lacks CSRF checks in some places which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as deleting entries.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDrednao/smart_forms< 2.6.87
CVEListV5unknown/smart_forms< 2.6.87

🔴Vulnerability Details

2
GHSA
GHSA-5q3g-vh9g-mjh9: The Smart Forms WordPress plugin before 22024-02-27
CVEList
Smart Forms < 2.6.87 - Subscriber+ Arbitrary Entry Deletion2024-02-27
CVE-2023-7203 (MEDIUM CVSS 6.1) | The Smart Forms WordPress plugin be | cvebase.io