CVE-2025-9544

The Doppler Forms WordPress plugin through version 2.5.1 registers an AJAX action install_extension without verifying user capabilities or using a nonce [1]. This means the action is accessible to any authenticated user, regardless of their role, including those with the Subscriber role [1]. The root cause is a missing capability check and nonce verification on the AJAX handler, which is a common security oversight in WordPress plugin development.

To exploit this vulnerability, an attacker needs only a valid WordPress account with any role, such as a Subscriber. The attacker can then send a crafted AJAX request to the install_extension action, which will install and activate additional plugins that are whitelisted by the main Doppler Forms plugin [1]. The attack does not require any special privileges or bypass any additional authentication or authorization checks beyond the initial user login.

The impact is that an authenticated attacker can install and activate arbitrary plugins from a whitelist maintained by the Doppler Forms plugin. This could allow the attacker to introduce plugins with additional vulnerabilities or malicious functionality, potentially leading to further compromise of the WordPress site. The vulnerability is limited to plugins that are whitelisted by the main plugin, but this still represents a significant privilege escalation from a low-privileged user role.

The vulnerability has been fixed in version 2.6.0 of the Doppler Forms plugin [1]. Users are strongly advised to update to the latest version immediately. No workaround is mentioned in the advisory, so updating is the recommended course of action.