CVE-2024-1416 - Vulnerability Details - OpenCVE

The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on several functions in all versions up to, and including, 1.8.9. This makes it possible for unauthenticated attackers to invoke those functions.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00192.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/ajax-functions.php#L21
https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/ajax-functions.php#L674
https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/lf-install.php#L57
https://plugins.trac.wordpress.org/changeset/3068835
https://www.wordfence.com/threat-intel/vulnerabilities/id/d087957c-0dd5-46a9-a6bc-85f2f79f43bd?source=cve

History

Wed, 08 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Title		Responsive Contact Form Builder & Lead Generation Plugin <= 1.8.9 - Missing Authorization
Weaknesses		CWE-352
References		https://plugins.trac.wordpress.org/changeset/3068835

Wed, 25 Feb 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-05-02T16:52:42.014Z

Updated: 2026-04-08T17:24:53.184Z

Reserved: 2024-02-09T18:33:10.545Z

Link: CVE-2024-1416

Vulnrichment

Updated: 2024-08-01T18:40:21.037Z

NVD

Status : Awaiting Analysis

Published: 2024-05-02T17:15:11.260

Modified: 2026-04-08T19:20:40.930

Link: CVE-2024-1416

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-1416", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-02-09T18:33:10.545Z", "datePublished": "2024-05-02T16:52:42.014Z", "dateUpdated": "2026-04-08T17:24:53.184Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:53.184Z"}, "affected": [{"vendor": "themehunk", "product": "Lead Form Builder & Contact Form", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.8.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on several functions in all versions up to, and including, 1.8.9. This makes it possible for unauthenticated attackers to invoke those functions."}], "title": "Responsive Contact Form Builder & Lead Generation Plugin <= 1.8.9 - Missing Authorization", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d087957c-0dd5-46a9-a6bc-85f2f79f43bd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/ajax-functions.php#L674"}, {"url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/ajax-functions.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/lf-install.php#L57"}, {"url": "https://plugins.trac.wordpress.org/changeset/3068835"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Duc Manh"}], "timeline": [{"time": "2024-04-11T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1416", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-02T18:05:36.659192Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:00:03.450Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:21.037Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d087957c-0dd5-46a9-a6bc-85f2f79f43bd?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/ajax-functions.php#L674", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/ajax-functions.php#L21", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/lf-install.php#L57", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d087957c-0dd5-46a9-a6bc-85f2f79f43bd?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/ajax-functions.php#L674", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/ajax-functions.php#L21", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/lf-install.php#L57", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:21.037Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1416", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-02T18:05:36.659192Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-02T18:06:27.120Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Duc Manh"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "themehunk", "product": "Responsive Contact Form Builder & Lead Generation Plugin", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.8.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-04-11T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d087957c-0dd5-46a9-a6bc-85f2f79f43bd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/ajax-functions.php#L674"}, {"url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/ajax-functions.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/lf-install.php#L57"}], "descriptions": [{"lang": "en", "value": "The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on several functions in all versions up to, and including, 1.8.9. This makes it possible for unauthenticated attackers to invoke those functions."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-02T16:52:42.014Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1416", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:40:21.037Z", "dateReserved": "2024-02-09T18:33:10.545Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-05-02T16:52:42.014Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on several functions in all versions up to, and including, 1.8.9. This makes it possible for unauthenticated attackers to invoke those functions."}, {"lang": "es", "value": "El complemento Responsive Contact Form Builder & Lead Generation Plugin para WordPress es vulnerable al acceso no autorizado a la funcionalidad debido a una falta de verificaci\u00f3n de capacidad en varias funciones en todas las versiones hasta la 1.8.9 incluida. Esto hace posible que atacantes no autenticados invoquen esas funciones."}], "id": "CVE-2024-1416", "lastModified": "2026-04-08T19:20:40.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-05-02T17:15:11.260", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/ajax-functions.php#L21"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/ajax-functions.php#L674"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/lf-install.php#L57"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3068835"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d087957c-0dd5-46a9-a6bc-85f2f79f43bd?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/ajax-functions.php#L21"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/ajax-functions.php#L674"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/lf-install.php#L57"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d087957c-0dd5-46a9-a6bc-85f2f79f43bd?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}