CVE-2024-11353
📋 TL;DR
The SMS for Lead Capture Forms WordPress plugin has an authorization vulnerability that allows authenticated users with Subscriber-level access or higher to delete arbitrary messages. This affects all WordPress sites using plugin versions up to 1.1.0. The vulnerability stems from missing capability checks in the delete_message() function.
💻 Affected Systems
- SMS for Lead Capture Forms WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated users could delete all lead capture messages, causing data loss and disrupting business operations that rely on SMS lead data.
Likely Case
Low-privilege users deleting messages they shouldn't have access to, potentially disrupting marketing/sales workflows.
If Mitigated
Minimal impact with proper user access controls and monitoring in place.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple - just calling the vulnerable function without proper authorization checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.1 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'SMS for Lead Capture Forms'. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.1.1+ from WordPress plugin repository and replace existing files.
🔧 Temporary Workarounds
Disable plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate clicksend-lead-capture-form
Restrict user roles
allLimit Subscriber role assignments and review existing Subscriber accounts
🧯 If You Can't Patch
- Remove Subscriber role from untrusted users or implement custom capability checks
- Implement additional logging and monitoring for message deletion activities
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → SMS for Lead Capture Forms → Version. If version is 1.1.0 or lower, you are vulnerable.Check Version:
wp plugin get clicksend-lead-capture-form --field=versionVerify Fix Applied:
After update, verify plugin version shows 1.1.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual message deletion patterns
- Subscriber-level users accessing message management functions
Network Indicators:
- POST requests to wp-admin/admin-ajax.php with action=delete_message from low-privilege users
SIEM Query:
source="wordpress" action="delete_message" user_role="subscriber"🔗 References
- https://plugins.trac.wordpress.org/browser/clicksend-lead-capture-form/trunk/clicksend-SMS-form-settings.php#L54
- https://plugins.trac.wordpress.org/browser/clicksend-lead-capture-form/trunk/clicksend-SMS-form-settings.php#L63
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a0c68bb6-77a2-4232-923a-37f2c0327743?source=cve
