CVE-2024-12201
📋 TL;DR
The Hash Form WordPress plugin has an authorization vulnerability that allows authenticated users with Contributor-level permissions or higher to create new form styles without proper authorization. This affects all WordPress sites using Hash Form plugin versions up to 1.2.1. The vulnerability stems from missing capability checks in the form style creation functionality.
💻 Affected Systems
- Hash Form – Drag & Drop Form Builder WordPress plugin
📦 What is this software?
Hash Form by Hashthemes
⚠️ Risk & Real-World Impact
Worst Case
Malicious contributor could create disruptive form styles, potentially defacing forms or creating phishing forms to harvest user data.
Likely Case
Contributor-level users could create unauthorized form styles, potentially disrupting form functionality or creating unwanted form variations.
If Mitigated
With proper user role management and plugin updates, impact is limited to minor administrative issues.
🎯 Exploit Status
Exploitation requires authenticated access with at least Contributor privileges. No public exploit code identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3205245%40hash-form&new=3205245%40hash-form&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Hash Form – Drag & Drop Form Builder'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.2.2+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Temporary User Role Restriction
allTemporarily restrict Contributor role permissions or remove unnecessary Contributor users until patch is applied.
Plugin Deactivation
allTemporarily deactivate Hash Form plugin if not critical to site functionality.
🧯 If You Can't Patch
- Implement strict user role management and audit Contributor-level users
- Monitor form style changes and implement approval workflows for form modifications
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Hash Form version. If version is 1.2.1 or lower, system is vulnerable.Check Version:
wp plugin list --name=hash-form --field=version (if WP-CLI installed)Verify Fix Applied:
After update, verify Hash Form plugin version is 1.2.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual form style creation events by Contributor users
- Multiple form style creation attempts from single user
Network Indicators:
- POST requests to form style creation endpoints from non-admin users
SIEM Query:
source="wordpress" AND (event="form_style_created" OR plugin_action="hash_form") AND user_role="contributor"