CVE-2024-12190 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the WordPress plugin 'Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder' developed by bitpressadmin. The issue stems from the absence of a proper capability check on the bitform-form-entry-edit endpoint, which handles form submission entries. This endpoint fails to verify whether the authenticated user has the necessary permissions to view or edit form submissions. Consequently, any authenticated user with at least Subscriber-level privileges can access and view all form submissions made through the plugin, including those submitted by other users. The vulnerability affects all versions up to and including 2.17.3. Exploitation requires authentication but no additional user interaction, and it can be performed remotely over the network. The vulnerability compromises confidentiality by exposing potentially sensitive form data but does not impact data integrity or system availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The CVSS v3.1 base score is 4.3, with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network attack vector, low attack complexity, requiring low privileges, no user interaction, unchanged scope, and limited confidentiality impact.

The primary impact of CVE-2024-12190 is unauthorized disclosure of sensitive information submitted via forms on affected WordPress sites. Organizations using this plugin may inadvertently expose personal data, payment information, or other confidential inputs collected through their contact forms to any authenticated user with Subscriber-level access or higher. This can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), reputational damage, and potential legal liabilities. Although the vulnerability does not allow modification or deletion of data, the exposure of sensitive form submissions can facilitate further social engineering or targeted attacks. The risk is particularly significant for websites that allow broad user registration or have multiple user roles with Subscriber-level permissions. Since WordPress powers a large portion of websites globally, the scope of affected systems is extensive. However, the requirement for authentication limits exploitation to insiders or registered users, reducing the risk of widespread automated attacks. No known active exploitation reduces immediate threat but does not eliminate future risk.

1. Update the 'Contact Form by Bit Form' plugin to the latest version once a patch addressing CVE-2024-12190 is released by the vendor. 2. Until a patch is available, restrict user roles and permissions to limit Subscriber-level access only to trusted users. 3. Implement additional access control measures at the web server or application firewall level to block unauthorized requests to the bitform-form-entry-edit endpoint. 4. Monitor user activity logs for unusual access patterns to form submission data. 5. Consider disabling or replacing the vulnerable plugin with alternative contact form solutions that enforce strict authorization checks. 6. Conduct regular security audits and penetration testing focusing on user privilege escalation and data access controls. 7. Educate site administrators and users about the risks of excessive permissions and the importance of least privilege principles. 8. Employ data encryption and anonymization for sensitive form submissions where feasible to reduce impact if data is exposed.