本页列出影响 funnelforms funnelforms 的已公开 CVE 漏洞(通过 NVD CPE 关联)。每行包含严重程度评分、摘要与发布日期,便于识别与分析安全问题。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2023-5419 | The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_test_mail function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to send test emails to an arbitrary email address. | [email protected] | 4.3 | 0.40% | 2023-11-22 | 2026-04-08 |
| CVE-2023-5417 | The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_update_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify the Funnelforms category for a given post ID. | [email protected] | 4.3 | 0.40% | 2023-11-22 | 2026-04-08 |
| CVE-2023-5416 | The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete categories. | [email protected] | 4.3 | 0.40% | 2023-11-22 | 2026-04-08 |
| CVE-2023-5415 | The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_add_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to add new categories. | [email protected] | 4.3 | 0.40% | 2023-11-22 | 2026-04-08 |
| CVE-2023-5411 | The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_save_post function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify certain post values. Note that the extent of modification is limited due to fixed values passed to the wp_update_post function. | [email protected] | 4.3 | 0.40% | 2023-11-22 | 2026-04-08 |
| CVE-2023-5387 | The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_trigger_dark_mode function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to enable or disable the dark mode plugin setting. | [email protected] | 4.3 | 0.40% | 2023-11-22 | 2026-04-08 |
| CVE-2023-5386 | The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_posts function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts, including administrator posts, and posts not related to the Funnelforms Free plugin. CVE-2023-5990 appears to be a duplicate of this issue. | [email protected] | 6.5 | 0.41% | 2023-11-22 | 2026-04-08 |
| CVE-2023-5385 | The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_copy_posts function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to create copies of arbitrary posts. | [email protected] | 4.3 | 0.40% | 2023-11-22 | 2026-04-08 |
| CVE-2023-5383 | The Funnelforms Free plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4. This is due to missing or incorrect nonce validation on the fnsf_copy_posts function. This makes it possible for unauthenticated attackers to create copies of arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2023-5990 appears to be a duplicate of this issue. | [email protected] | 4.3 | 0.23% | 2023-11-22 | 2026-04-08 |
| CVE-2023-5382 | The Funnelforms Free plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4. This is due to missing or incorrect nonce validation on the fnsf_delete_posts function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | [email protected] | 6.5 | 0.31% | 2023-11-22 | 2026-04-08 |
| CVE-2023-4950 | The Interactive Contact Form and Multi Step Form Builder WordPress plugin before 3.4 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks | [email protected] | 6.1 | 0.55% | 2023-10-16 | 2025-04-23 |