CVE-2024-9700 is an authorization bypass vulnerability classified under CWE-639 (Insecure Direct Object Reference) found in the Forminator Forms – Contact Form, Payment Form & Custom Form Builder WordPress plugin, versions up to and including 1.36.0. The vulnerability arises from the submit_quizzes() function, which processes quiz submissions. This function accepts an 'entry_id' parameter that is user-controlled but lacks proper validation or authorization checks. As a result, an unauthenticated attacker can manipulate this parameter to modify quiz submissions belonging to other users. This bypasses intended access controls, allowing unauthorized data modification. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The impact is limited to integrity, as attackers can alter quiz submission data but cannot access confidential information or disrupt service availability. No patches or exploit code are currently publicly available, and no active exploitation has been reported. The vulnerability affects all versions of the plugin up to 1.36.0, which is widely used in WordPress sites for creating forms, quizzes, and payment forms. The CVSS v3.1 base score is 5.3, reflecting medium severity due to the ease of exploitation and limited impact scope.

The primary impact of CVE-2024-9700 is the unauthorized modification of quiz submission data within affected WordPress sites using the Forminator Forms plugin. This compromises data integrity, potentially leading to inaccurate quiz results, fraudulent form submissions, or manipulation of user-generated content. For organizations relying on these forms for assessments, payments, or data collection, this could undermine trust and lead to operational disruptions. While confidentiality and availability are not directly affected, the integrity breach could facilitate further attacks or fraud, especially in environments where quiz or form data influences business decisions or user access. The vulnerability's ease of exploitation without authentication increases the risk of automated attacks targeting vulnerable sites. Organizations with high volumes of form submissions or sensitive workflows integrated with Forminator Forms are at greater risk. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a significant concern until patched.

Organizations should immediately assess their use of the Forminator Forms plugin and identify affected versions (up to 1.36.0). Although no official patch is currently linked, users should monitor vendor communications for updates and apply patches as soon as they become available. In the interim, implement strict input validation and authorization checks on the 'entry_id' parameter at the application or web server level, if possible, to prevent unauthorized access or modification. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the submit_quizzes() function or containing anomalous 'entry_id' values. Review and restrict permissions for form submission endpoints to limit exposure. Conduct regular audits of quiz submission data for signs of unauthorized changes. Additionally, consider disabling or limiting quiz submission features if not critical to operations until a fix is deployed. Educate site administrators about the risk and encourage prompt action to reduce attack surface.