CVE-2025-67577

Vulnerability

Overview

The Easy Form Builder WordPress plugin (versions up to and including 3.8.20) is affected by a Missing Authorization vulnerability [1]. This is a broken access control issue where the plugin fails to properly enforce capability checks, meaning certain functions can be triggered without the appropriate permissions [1].

Exploitation

Conditions

An attacker can exploit this vulnerability without requiring authentication [1]. The missing authorization check means that any unauthenticated visitor could potentially access endpoints or actions that should be restricted to higher-privileged users, such as administrators [1]. The vulnerability is classified as Medium severity (CVSS 5.3) and has been noted as being used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows an attacker to perform actions that should require higher-level access within the plugin's functionality [1]. This could include modifying form data, accessing protected submissions, or other unintended operations depending on the exact missing checks. The impact is considered low, but the ease of exploitation due to missing authentication elevates the risk [1].

Mitigation

The vendor has released version 3.8.21 which resolves the vulnerability [1]. Users are strongly advised to update immediately. For Patchstack users, auto-updates can be enabled for vulnerable plugins. If updating is not possible, users should consult their hosting provider or web developer for assistance [1].