CVE-2023-35051 – This CVE describes a missing authorization vuln... (How to Fix)

📋 TL;DR

This CVE describes a missing authorization vulnerability in the Contact Forms by Cimatti WordPress plugin that allows attackers to bypass access controls. Attackers can exploit incorrectly configured security levels to perform unauthorized actions. All WordPress sites using Contact Forms by Cimatti versions up to 1.5.7 are affected.

💻 Affected Systems

Products:

Contact Forms by Cimatti WordPress Plugin

Versions: n/a through 1.5.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the vulnerable plugin version installed and activated.

📦 What is this software?

Wordpress Contact Forms by Cimatti

View all CVEs affecting Wordpress Contact Forms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify form submissions, access sensitive form data, or manipulate form configurations without authentication.

🟠

Likely Case

Unauthorized users accessing or modifying form data they shouldn't have access to, potentially exposing PII or other sensitive information.

🟢

If Mitigated

With proper authorization controls, only authenticated users with appropriate permissions can access form data and functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Missing authorization vulnerabilities typically require minimal technical skill to exploit once the attack vector is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.8 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/contact-forms/vulnerability/wordpress-contact-forms-by-cimatti-plugin-1-5-7-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find 'Contact Forms by Cimatti'
4. Click 'Update Now' if update is available
5. If no update appears, manually download version 1.5.8+ from WordPress.org
6. Deactivate and delete old version
7. Upload and activate new version

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate contact-forms-by-cimatti

Restrict Access

all

Implement IP whitelisting or additional authentication layers for form endpoints

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block unauthorized access to plugin endpoints
Monitor access logs for unusual patterns of requests to contact form endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for 'Contact Forms by Cimatti' version 1.5.7 or earlier

Check Version:

wp plugin get contact-forms-by-cimatti --field=version

Verify Fix Applied:

Verify plugin version is 1.5.8 or later in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST/GET requests to /wp-content/plugins/contact-forms-by-cimatti/ endpoints
Multiple failed authentication attempts followed by successful form access

Network Indicators:

Unusual traffic patterns to contact form endpoints from unauthenticated sources

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-content/plugins/contact-forms-by-cimatti/" OR plugin="contact-forms-by-cimatti") AND (response_code=200 OR response_code=302) AND user="-"

📊 Metadata

CVE ID: CVE-2023-35051

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-862

Published: December 13, 2024

Last Updated: March 19, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/contact-forms/vulnerability/wordpress-contact-forms-by-cimatti-plugin-1-5-7-broken-access-control-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35051, you might also want to check these: