Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for RTMForm Builder by rometheme

    CVE-2023-6325 (GCVE-0-2023-6325)

    Vulnerability from nvd – Published: 2024-05-23 04:30 – Updated: 2026-04-08 17:03
    VLAI
    Title
    RomethemeForm For Elementor <= 1.1.5 - Missing Authorization via export_entries, rtformnewform, and rtformupdate
    Summary
    The RomethemeForm For Elementor plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the export_entries, rtformnewform, and rtformupdate functions in all versions up to, and including, 1.1.5. This makes it possible for unauthenticated attackers to export arbitrary form submissions, create new forms, or update any post title or certain metadata.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    rometheme RTMForm Builder Affected: 0 , ≤ 1.1.5 (semver)
    Create a notification for this product.
    rometheme romethemeform_for_elementor Affected: 0 , ≤ 1.1.5 (semver)
        cpe:2.3:a:rometheme:romethemeform_for_elementor:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Francesco Carlucci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:rometheme:romethemeform_for_elementor:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "romethemeform_for_elementor",
                "vendor": "rometheme",
                "versions": [
                  {
                    "lessThanOrEqual": "1.1.5",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6325",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-24T20:01:19.744197Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:17:17.730Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:28:21.144Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/81a293ea-abda-4c90-a109-791ca5ba89a4?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/romethemeform/tags/1.1.2/modules/form/form.php"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3090708/romethemeform/trunk?contextall=1\u0026old=3079080\u0026old_path=%2Fromethemeform%2Ftrunk"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RTMForm Builder",
              "vendor": "rometheme",
              "versions": [
                {
                  "lessThanOrEqual": "1.1.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Francesco Carlucci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RomethemeForm For Elementor plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the export_entries, rtformnewform, and rtformupdate functions in all versions up to, and including, 1.1.5. This makes it possible for unauthenticated attackers to export arbitrary form submissions, create new forms, or update any post title or certain metadata."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:03:47.846Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/81a293ea-abda-4c90-a109-791ca5ba89a4?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/romethemeform/tags/1.1.2/modules/form/form.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3090708/romethemeform/trunk?contextall=1\u0026old=3079080\u0026old_path=%2Fromethemeform%2Ftrunk"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-05-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "RomethemeForm For Elementor \u003c= 1.1.5 - Missing Authorization via export_entries, rtformnewform, and rtformupdate"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-6325",
        "datePublished": "2024-05-23T04:30:53.799Z",
        "dateReserved": "2023-11-27T14:34:15.631Z",
        "dateUpdated": "2026-04-08T17:03:47.846Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-6325 (GCVE-0-2023-6325)

    Vulnerability from cvelistv5 – Published: 2024-05-23 04:30 – Updated: 2026-04-08 17:03
    VLAI
    Title
    RomethemeForm For Elementor <= 1.1.5 - Missing Authorization via export_entries, rtformnewform, and rtformupdate
    Summary
    The RomethemeForm For Elementor plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the export_entries, rtformnewform, and rtformupdate functions in all versions up to, and including, 1.1.5. This makes it possible for unauthenticated attackers to export arbitrary form submissions, create new forms, or update any post title or certain metadata.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    rometheme RTMForm Builder Affected: 0 , ≤ 1.1.5 (semver)
    Create a notification for this product.
    rometheme romethemeform_for_elementor Affected: 0 , ≤ 1.1.5 (semver)
        cpe:2.3:a:rometheme:romethemeform_for_elementor:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Francesco Carlucci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:rometheme:romethemeform_for_elementor:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "romethemeform_for_elementor",
                "vendor": "rometheme",
                "versions": [
                  {
                    "lessThanOrEqual": "1.1.5",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6325",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-24T20:01:19.744197Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:17:17.730Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:28:21.144Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/81a293ea-abda-4c90-a109-791ca5ba89a4?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/romethemeform/tags/1.1.2/modules/form/form.php"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3090708/romethemeform/trunk?contextall=1\u0026old=3079080\u0026old_path=%2Fromethemeform%2Ftrunk"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RTMForm Builder",
              "vendor": "rometheme",
              "versions": [
                {
                  "lessThanOrEqual": "1.1.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Francesco Carlucci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RomethemeForm For Elementor plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the export_entries, rtformnewform, and rtformupdate functions in all versions up to, and including, 1.1.5. This makes it possible for unauthenticated attackers to export arbitrary form submissions, create new forms, or update any post title or certain metadata."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:03:47.846Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/81a293ea-abda-4c90-a109-791ca5ba89a4?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/romethemeform/tags/1.1.2/modules/form/form.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3090708/romethemeform/trunk?contextall=1\u0026old=3079080\u0026old_path=%2Fromethemeform%2Ftrunk"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-05-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "RomethemeForm For Elementor \u003c= 1.1.5 - Missing Authorization via export_entries, rtformnewform, and rtformupdate"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-6325",
        "datePublished": "2024-05-23T04:30:53.799Z",
        "dateReserved": "2023-11-27T14:34:15.631Z",
        "dateUpdated": "2026-04-08T17:03:47.846Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }