An Insecure Direct Object References (IDOR) vulnerability has been identified in the WordPress Simplr Registration Form Plus+ Plugin. This vulnerability could allow a malicious actor to bypass authorization, and authentication, access sensitive files/folders, or interact with the database.
This vulnerability was discovered and responsibly reported by Lana Codes.
The vulnerability is an IDOR vulnerability that occurs in the simplr-registration-form-plus.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to bypass authorization and authentication.
The IDOR vulnerability has a CVSS 3.1 score of 8.8, which is considered to be high. It demands immediate attention due to the substantial risk it poses to the website’s security and integrity.
As of the latest information, no patched version is available to address the IDOR vulnerability in the Simplr Registration Form Plus+ Plugin. Consequently, websites using this plugin are at elevated risk of potential attacks.
An attacker who successfully exploits this vulnerability could:
- Bypass authorization and authentication to access sensitive information, such as user data, database credentials, and configuration files.
- Modify or delete sensitive data.
- Execute arbitrary code on the website.
- Take full control of the website.
Users of the Simplr Registration Form Plus+ Plugin are strongly advised to uninstall the plugin until a patched version is released.