CVE-2024-1217: The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to...
Description
The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the await_plugin_deactivation function in all versions up to, and including, 2.3.41. This makes it possible for authenticated attackers, with subscriber access or higher, to deactivate any active plugins.
Classification
CVE ID: CVE-2024-1217
CVSS Base Severity: HIGH
CVSS Base Score: 7.6
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Problem Types
CWE-862 Missing AuthorizationAffected Products
Vendor: kaliforms
Product: Contact Form builder with drag & drop for WordPress – Kali Forms
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.08% (probability of being exploited)
EPSS Percentile: 24.82% (scored less or equal to compared to others)
EPSS Date: 2025-05-23 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: none
SSVC Technical Impact: partial
SSVC Automatable: false
References
https://nvd.nist.gov/vuln/detail/CVE-2024-1217https://www.wordfence.com/threat-intel/vulnerabilities/id/7be75b0a-737d-4f0d-b024-e207af4573cd?source=cve
https://plugins.trac.wordpress.org/changeset/3036466/kali-forms/trunk?contextall=1&old=3029334&old_path=%2Fkali-forms%2Ftrunk