CVE-2025-62738

Vulnerability

Overview The Formstack Online Forms plugin for WordPress (versions up to and including 2.0.2) contains a missing authorization vulnerability. The plugin fails to properly enforce access control checks on certain functions, meaning that it does not verify whether a user has the required privileges before allowing them to execute actions that should be restricted to higher-privileged users (such as administrators, editors, etc.). This is a classic broken access control issue [1].

Exploitation

An attacker can exploit this vulnerability without needing any prior authentication. By sending crafted requests to the vulnerable endpoints, an unauthenticated user can trigger actions that are normally reserved for authenticated users with elevated permissions. The attack surface is the WordPress admin-ajax.php or similar handler that processes plugin-specific requests without a nonce or capability check [1].

Impact

Impact Successful exploitation allows an attacker to perform unauthorized actions within the context of the Formstack plugin. Depending on the specific missing authorization, this could include modifying form settings, accessing or exfiltrating form submissions, or other administrative operations. The vulnerability is rated with a CVSS v3 base score of 5.3 (Medium), reflecting the potential for data exposure or partial compromise of the site's functionality [1].

Mitigation

The vendor has not released a patched version beyond 2.0.2, and the plugin appears to be no longer maintained. Users are strongly advised to update to the latest available version (if any) or to disable and remove the plugin if an update is not provided. As noted in the advisory, this vulnerability is actively used in mass-exploit campaigns, so immediate action is recommended [1].