CVE-2025-32620

Vulnerability

The Doppler Forms plugin for WordPress (versions ≤ 2.4.6, as noted in the CVE description) suffers from a Missing Authorization vulnerability. The plugin fails to properly enforce access control on certain server-side functions, allowing requests to be processed without verifying the user's privileges [1]. This affects the doppler-form plugin as available in the WordPress plugin repository, where version 2.4.7 is listed as containing a fix for "broken access control" [1]. All prior versions from n/a through 2.4.6 are affected.

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests to the vulnerable endpoints within the WordPress installation. No special network position, authentication, or user interaction is required; the attacker only needs the ability to make web requests to the target site [1]. The vulnerability exists in the plugin code that handles form-related operations, where permission checks are absent or insufficiently implemented.

Impact

Successful exploitation allows an attacker to perform actions normally restricted to authorized users, such as modifying plugin settings, accessing sensitive data, or triggering unintended functionality. This can lead to unauthorized information disclosure or configuration changes, compromising the confidentiality and integrity of the WordPress site [1]. The exact scope depends on the specific administrative functions lacking authorization.

Mitigation

The fix for this vulnerability was released in version 2.4.7 of Doppler Forms, as noted in the plugin's changelog: "Fix: broken access control vulnerability" [1]. Users must update to version 2.4.7 or later (the current version as of reference publication is 2.8.0). No workarounds are documented in available references; updating is the only recommended mitigation.