CVE-2024-22305 is a high-severity vulnerability classified under CWE-639, which pertains to Authorization Bypass Through User-Controlled Key. This vulnerability affects the ali Forms Contact Form builder with drag & drop functionality for WordPress, specifically versions up to 2.3.36. The core issue arises because the plugin improperly validates authorization when processing user-supplied keys, allowing an attacker to bypass authorization controls without any authentication or user interaction. The CVSS 3.1 base score of 7.5 reflects a network exploitable vulnerability (AV:N) with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is primarily on confidentiality (C:H), with no direct impact on integrity or availability. This means an attacker can potentially access sensitive data or information that should be restricted by exploiting this flaw. The vulnerability is present in a widely used WordPress plugin that enables drag & drop contact form creation, which is commonly deployed on websites to collect user input and potentially sensitive information. The lack of authentication and user interaction requirements makes exploitation straightforward, increasing the risk of unauthorized data disclosure. No known exploits are currently reported in the wild, and no official patches have been linked yet, indicating that mitigation may currently rely on workarounds or vendor updates pending release.

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress websites with the ali Forms Contact Form builder plugin installed. The unauthorized access to sensitive form data could lead to exposure of personal data, customer information, or internal communications, potentially violating GDPR and other data protection regulations. This could result in regulatory fines, reputational damage, and loss of customer trust. Organizations in sectors such as e-commerce, healthcare, education, and government that use WordPress forms for collecting user data are particularly vulnerable. Since the vulnerability allows remote exploitation without authentication, attackers could automate attacks at scale, targeting multiple organizations simultaneously. The confidentiality breach could also facilitate further attacks, such as phishing or social engineering, by harvesting contact details or internal information. The absence of impact on integrity and availability limits the threat to data exposure rather than data manipulation or service disruption, but the confidentiality loss alone is critical under European data protection frameworks.

European organizations should immediately inventory their WordPress installations to identify the presence of the ali Forms Contact Form builder plugin and verify the version in use. Until an official patch is released, organizations should consider disabling or removing the plugin to eliminate the attack surface. If disabling is not feasible, restricting access to the WordPress admin interface and form submission endpoints via IP whitelisting or web application firewall (WAF) rules can reduce exposure. Implementing strict input validation and monitoring unusual access patterns or spikes in form submissions can help detect exploitation attempts. Organizations should also ensure that all WordPress core and plugin components are kept up to date and subscribe to vendor security advisories for timely patch deployment. Additionally, reviewing and minimizing the amount of sensitive data collected through forms can reduce potential impact. Employing data encryption at rest and in transit, along with regular security audits, will further strengthen defenses against data leakage.