CVE-2024-12201: CWE-862 Missing Authorization in hashthemes Hash Form – Drag & Drop Form Builder
CVE-2024-12201 is a medium severity vulnerability in the Hash Form – Drag & Drop Form Builder WordPress plugin, affecting all versions up to 1. 2. 1. The flaw is due to missing authorization checks when creating form styles, allowing authenticated users with Contributor-level access or higher to create new form styles without proper permissions. This vulnerability does not require user interaction and has no impact on confidentiality or availability but can lead to integrity issues by unauthorized modification of form styles. Exploitation is relatively easy since only low-privileged authenticated access is needed. No known exploits are currently in the wild. Organizations using this plugin should prioritize updating or applying custom access controls to prevent unauthorized style creation. Countries with significant WordPress usage and active web development communities are most at risk, including the United States, Germany, United Kingdom, Canada, Australia, and India.
AI Analysis
Technical Summary
CVE-2024-12201 identifies a missing authorization vulnerability (CWE-862) in the Hash Form – Drag & Drop Form Builder plugin for WordPress, present in all versions up to and including 1.2.1. The vulnerability arises because the plugin fails to perform proper capability checks when authenticated users attempt to create new form styles. Specifically, users with Contributor-level access or higher can exploit this flaw to create new form styles without the necessary permissions, bypassing intended access controls. The vulnerability does not affect confidentiality or availability but impacts integrity by allowing unauthorized modification of form styles, which could be leveraged for further attacks such as UI manipulation or social engineering. The CVSS 3.1 base score is 4.3 (medium), reflecting low attack complexity (no user interaction needed), network attack vector, and low privileges required. No patches or exploits are currently publicly available, but the risk remains for sites using this plugin. The vulnerability is particularly relevant for WordPress sites that rely on this plugin for form creation and styling, potentially exposing them to unauthorized changes that could degrade user trust or site functionality.
Potential Impact
The primary impact of this vulnerability is on the integrity of affected WordPress sites using the Hash Form plugin. Unauthorized users with Contributor-level access can create new form styles, potentially leading to unauthorized UI changes, phishing attempts, or misleading form presentations that could trick users or administrators. While confidentiality and availability are not directly impacted, the integrity compromise can facilitate further attacks or damage site reputation. Organizations relying on this plugin for customer-facing forms or internal workflows may experience degraded trust or operational issues. Since Contributor-level access is relatively low privilege, many users within an organization or community could exploit this flaw if they have authenticated access, increasing the risk surface. The vulnerability affects all versions of the plugin up to 1.2.1, so widespread installations remain at risk until mitigated.
Mitigation Recommendations
To mitigate CVE-2024-12201, organizations should first check if an updated version of the Hash Form plugin is available that includes proper authorization checks and apply it immediately. If no official patch exists, administrators should implement custom access control measures to restrict form style creation to trusted roles only, such as Editors or Administrators, by modifying plugin code or using WordPress hooks to enforce capability checks. Additionally, review and limit Contributor-level user permissions to only trusted users and monitor form style creation activities for anomalies. Employing a Web Application Firewall (WAF) with rules targeting unauthorized form style creation attempts can provide temporary protection. Regularly audit user roles and plugin usage to detect unauthorized changes. Finally, maintain backups and have an incident response plan to quickly restore integrity if unauthorized modifications occur.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, India, France, Netherlands, Brazil, Japan
CVE-2024-12201: CWE-862 Missing Authorization in hashthemes Hash Form – Drag & Drop Form Builder
Description
CVE-2024-12201 is a medium severity vulnerability in the Hash Form – Drag & Drop Form Builder WordPress plugin, affecting all versions up to 1. 2. 1. The flaw is due to missing authorization checks when creating form styles, allowing authenticated users with Contributor-level access or higher to create new form styles without proper permissions. This vulnerability does not require user interaction and has no impact on confidentiality or availability but can lead to integrity issues by unauthorized modification of form styles. Exploitation is relatively easy since only low-privileged authenticated access is needed. No known exploits are currently in the wild. Organizations using this plugin should prioritize updating or applying custom access controls to prevent unauthorized style creation. Countries with significant WordPress usage and active web development communities are most at risk, including the United States, Germany, United Kingdom, Canada, Australia, and India.
AI-Powered Analysis
Technical Analysis
CVE-2024-12201 identifies a missing authorization vulnerability (CWE-862) in the Hash Form – Drag & Drop Form Builder plugin for WordPress, present in all versions up to and including 1.2.1. The vulnerability arises because the plugin fails to perform proper capability checks when authenticated users attempt to create new form styles. Specifically, users with Contributor-level access or higher can exploit this flaw to create new form styles without the necessary permissions, bypassing intended access controls. The vulnerability does not affect confidentiality or availability but impacts integrity by allowing unauthorized modification of form styles, which could be leveraged for further attacks such as UI manipulation or social engineering. The CVSS 3.1 base score is 4.3 (medium), reflecting low attack complexity (no user interaction needed), network attack vector, and low privileges required. No patches or exploits are currently publicly available, but the risk remains for sites using this plugin. The vulnerability is particularly relevant for WordPress sites that rely on this plugin for form creation and styling, potentially exposing them to unauthorized changes that could degrade user trust or site functionality.
Potential Impact
The primary impact of this vulnerability is on the integrity of affected WordPress sites using the Hash Form plugin. Unauthorized users with Contributor-level access can create new form styles, potentially leading to unauthorized UI changes, phishing attempts, or misleading form presentations that could trick users or administrators. While confidentiality and availability are not directly impacted, the integrity compromise can facilitate further attacks or damage site reputation. Organizations relying on this plugin for customer-facing forms or internal workflows may experience degraded trust or operational issues. Since Contributor-level access is relatively low privilege, many users within an organization or community could exploit this flaw if they have authenticated access, increasing the risk surface. The vulnerability affects all versions of the plugin up to 1.2.1, so widespread installations remain at risk until mitigated.
Mitigation Recommendations
To mitigate CVE-2024-12201, organizations should first check if an updated version of the Hash Form plugin is available that includes proper authorization checks and apply it immediately. If no official patch exists, administrators should implement custom access control measures to restrict form style creation to trusted roles only, such as Editors or Administrators, by modifying plugin code or using WordPress hooks to enforce capability checks. Additionally, review and limit Contributor-level user permissions to only trusted users and monitor form style creation activities for anomalies. Employing a Web Application Firewall (WAF) with rules targeting unauthorized form style creation attempts can provide temporary protection. Regularly audit user roles and plugin usage to detect unauthorized changes. Finally, maintain backups and have an incident response plan to quickly restore integrity if unauthorized modifications occur.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-12-04T17:10:06.888Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e31b7ef31ef0b597837
Added to database: 2/25/2026, 9:48:33 PM
Last enriched: 2/26/2026, 6:12:53 AM
Last updated: 2/26/2026, 6:54:37 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-25191: Uncontrolled Search Path Element in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-23703: Incorrect default permissions in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-1311: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in bearsthemes Worry Proof Backup
HighFinding Signal in the Noise: Lessons Learned Running a Honeypot with AI Assistance [Guest Diary], (Tue, Feb 24th)
MediumCVE-2026-2506: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in motahar1 EM Cost Calculator
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.