CVE-2024-50428 – This CVE describes a Missing Authorization vuln... (How to Fix)

Q: What is the severity of CVE-2024-50428?

CVE-2024-50428 has a CVSS score of 4.3 (MEDIUM). This CVE describes a Missing Authorization vulnerability in Mondula GmbH's Multi Step Form WordPress plugin that allows attackers to bypass access controls. It affects all versions up to 1.7.21, potentially enabling unauthorized access to form data or administrative functions. WordPress site administrators using this plugin are affected.

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in Mondula GmbH's Multi Step Form WordPress plugin that allows attackers to bypass access controls. It affects all versions up to 1.7.21, potentially enabling unauthorized access to form data or administrative functions. WordPress site administrators using this plugin are affected.

💻 Affected Systems

Products:

Mondula GmbH Multi Step Form WordPress Plugin

Versions: n/a through 1.7.21

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with the Multi Step Form plugin installed and activated.

📦 What is this software?

Multi Step Form by Mondula

View all CVEs affecting Multi Step Form →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive form submissions, modify form configurations, or potentially escalate privileges to compromise the WordPress site.

🟠

Likely Case

Unauthorized viewing or manipulation of form data submitted by users, potentially exposing PII or other sensitive information.

🟢

If Mitigated

Proper access controls would prevent unauthorized access, limiting impact to legitimate users only.

🌐 Internet-Facing: HIGH - WordPress plugins are typically internet-facing and this vulnerability requires no authentication.

🏢 Internal Only: MEDIUM - Internal systems using the plugin could still be vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Missing authorization vulnerabilities typically have low exploitation complexity as they involve accessing endpoints without proper checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.22 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/multi-step-form/wordpress-multi-step-form-plugin-1-7-21-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Multi Step Form' and click 'Update Now'. 4. Verify update to version 1.7.22 or higher.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate multi-step-form

Restrict Access

all

Use web application firewall rules to restrict access to plugin endpoints

# Add WAF rules to block unauthorized access to /wp-content/plugins/multi-step-form/

🧯 If You Can't Patch

Implement strict network segmentation to isolate WordPress installation
Enable detailed logging and monitoring for unauthorized access attempts to plugin endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Multi Step Form → Version. If version is 1.7.21 or lower, you are vulnerable.

Check Version:

wp plugin get multi-step-form --field=version

Verify Fix Applied:

After updating, verify version shows 1.7.22 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /wp-content/plugins/multi-step-form/ endpoints
Multiple failed authentication attempts followed by successful access to form data

Network Indicators:

Unusual traffic patterns to plugin-specific endpoints from unexpected sources
HTTP requests bypassing normal authentication flows

SIEM Query:

source="wordpress.log" AND (uri="/wp-content/plugins/multi-step-form/*" AND NOT user_agent="WordPress/*")

📊 Metadata

CVE ID: CVE-2024-50428

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: October 29, 2024

Last Updated: February 27, 2025

🔗 References

https://patchstack.com/database/vulnerability/multi-step-form/wordpress-multi-step-form-plugin-1-7-21-broken-access-control-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50428, you might also want to check these: