CVE CyberSecurity Database News

CVE-2023-5417 - Exploiting Improper Capability Checks in Funnelforms Free WordPress Plugin

Poster -

If you run a WordPress website and use the popular Funnelforms Free plugin, you need to read this: a vulnerability has been found in versions up to 3.4 that lets even low-level users (like regular subscribers) change form categories — all due to a missing capability check in the code.

In this post, I'll break down what CVE-2023-5417 is, how attackers can use it, show you a code snippet of the problem area, and help you patch your site. This research is exclusive, using clean, simple American language, so even non-technical WordPress admins can follow.

What is CVE-2023-5417?

CVE-2023-5417 is a vulnerability in the Funnelforms Free WordPress plugin up to and including version 3.4. It allows any logged-in user — not just admins but also basic subscribers — to modify form categories by directly calling a function that wasn’t properly secured.

Why is this a problem?
Normally, only users with high-level permissions (like Administrators or Editors) should change certain plugin settings. When that restriction is missing, a bad actor can tamper with forms, mix up tracking, lead generation, or even prepare further attacks.

Technical Details: The Real Issue

Inside funnelforms-free, there’s an AJAX handler function called fnsf_update_category. This function is meant to update the category of a form or post. Rather than verifying the user's permissions, it just carries out the request if the AJAX request is authenticated (meaning, the user is logged in — even as a subscriber).

Here’s a sample code snippet that shows this broken logic

// File: includes/ajax-handler.php (or similar)
add_action('wp_ajax_fnsf_update_category', 'fnsf_update_category');

function fnsf_update_category() {
    $post_id = $_POST['post_id'];
    $category = $_POST['category'];

    // MISSING: capability check like current_user_can('edit_post', $post_id)
    update_post_meta($post_id, 'funnelforms_category', $category);

    wp_send_json_success('Category updated!');
}

What’s wrong here?
The function should check the logged-in user's capability before changing any data. Even a basic subscriber passes the authentication check, so they can send an AJAX request and change the category for any post or form.

Crafts an AJAX request to change a Funnelforms form’s category.

4. Sends request using something like Postman or a browser’s developer tools.

Here’s what a malicious AJAX request might look like

POST /wp-admin/admin-ajax.php?action=fnsf_update_category
Cookie: wordpress_logged_in_xxx=...
Content-Type: application/x-www-form-urlencoded

post_id=42&category=SpamCategory

As long as they’re logged in — even just as a subscriber — they can tamper with categories at will!

How Should This Be Fixed?

The developer should add a capability check so only authorized users (e.g., editors or admins) can run the update:

function fnsf_update_category() {
    // For example, only allow users who can 'edit_post' on this post
    if (!current_user_can('edit_post', $_POST['post_id'])) {
        wp_send_json_error('Not allowed!');
        return;
    }

    $post_id = $_POST['post_id'];
    $category = $_POST['category'];
    update_post_meta($post_id, 'funnelforms_category', $category);
    wp_send_json_success('Category updated!');
}

Original References

- Wordfence Advisory
- Patchstack Database Entry
- Funnelforms Plugin on WordPress.org

Monitor user actions for unexpected changes.

If you’re a plugin developer: always validate user capabilities in AJAX handlers and any function that changes data!


In short:
If you run Funnelforms Free older than 3.4, low-level users can change categories due to missing permission checks. Update TODAY. For developers: always verify capabilities!

Questions? Reach out through the WordPress support forums. Stay safe!

Timeline

Published on: 11/22/2023 16:15:12 UTC
Last modified on: 11/27/2023 20:16:27 UTC