CVE-2024-1158: CWE-862 Missing Authorization in themekraft Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buddyforms_new_page function in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber access or higher, to create pages with arbitrary titles. These pages are published.
AI Analysis
Technical Summary
The themekraft WordPress plugin 'Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)' suffers from a missing capability check (CWE-862) in the buddyforms_new_page function in all versions up to 2.8.7. This flaw permits authenticated users with subscriber privileges or higher to create new pages with arbitrary titles that are published immediately, bypassing intended authorization controls. The vulnerability has a CVSS 3.1 base score of 4.3, indicating a medium impact primarily due to unauthorized content creation without elevated privileges.
Potential Impact
An attacker with subscriber-level access or higher can exploit this vulnerability to create arbitrary published pages on the affected WordPress site. This unauthorized content creation could be used to manipulate site content or inject misleading information. There is no direct impact on confidentiality or availability reported, and no known exploits in the wild have been documented at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix link is provided, site administrators should monitor the vendor's announcements for updates. In the meantime, restrict subscriber-level user registrations if possible and review user permissions to limit exposure.
CVE-2024-1158: CWE-862 Missing Authorization in themekraft Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
Description
The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buddyforms_new_page function in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber access or higher, to create pages with arbitrary titles. These pages are published.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The themekraft WordPress plugin 'Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)' suffers from a missing capability check (CWE-862) in the buddyforms_new_page function in all versions up to 2.8.7. This flaw permits authenticated users with subscriber privileges or higher to create new pages with arbitrary titles that are published immediately, bypassing intended authorization controls. The vulnerability has a CVSS 3.1 base score of 4.3, indicating a medium impact primarily due to unauthorized content creation without elevated privileges.
Potential Impact
An attacker with subscriber-level access or higher can exploit this vulnerability to create arbitrary published pages on the affected WordPress site. This unauthorized content creation could be used to manipulate site content or inject misleading information. There is no direct impact on confidentiality or availability reported, and no known exploits in the wild have been documented at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix link is provided, site administrators should monitor the vendor's announcements for updates. In the meantime, restrict subscriber-level user registrations if possible and review user permissions to limit exposure.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-02-01T15:11:48.087Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6d22b7ef31ef0b56e454
Added to database: 2/25/2026, 9:44:02 PM
Last enriched: 4/9/2026, 7:39:08 PM
Last updated: 4/12/2026, 5:13:33 PM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.