CVE-2025-0939
📋 TL;DR
The MagicForm WordPress plugin has an authorization vulnerability that allows authenticated users with Subscriber-level permissions or higher to perform administrative actions. Attackers can delete/view logs, modify forms, and change plugin settings without proper authorization. All WordPress sites using MagicForm version 1.6.2 or earlier are affected.
💻 Affected Systems
- MagicForm WordPress Plugin
📦 What is this software?
Magicform by Dcooperman
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated users could delete form submission logs, modify forms to capture sensitive data, or disable security settings, potentially leading to data loss, data theft, or further compromise.
Likely Case
Attackers with basic WordPress accounts (Subscriber role) will modify forms to capture sensitive user data or delete logs to cover their tracks.
If Mitigated
With proper role-based access controls and monitoring, impact is limited to unauthorized configuration changes that can be detected and reverted.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via crafted AJAX requests. Subscriber role is the default lowest WordPress user role.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/magicform/trunk/admin/admin-menu.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find MagicForm plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.6.3+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Temporary Role Restriction
linuxTemporarily restrict Subscriber role capabilities or disable user registration until patch applied.
wp role reset subscriber --allow-root
wp option update users_can_register 0 --allow-root
Plugin Deactivation
linuxDeactivate MagicForm plugin if not critically needed.
wp plugin deactivate magicform --allow-root
🧯 If You Can't Patch
- Implement strict network access controls to limit WordPress admin area to trusted IPs only.
- Enable detailed logging of all AJAX requests and user actions for anomaly detection.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for MagicForm version. If version is 1.6.2 or lower, system is vulnerable.Check Version:
wp plugin get magicform --field=version --allow-rootVerify Fix Applied:
After update, verify MagicForm version shows 1.6.3 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to /wp-admin/admin-ajax.php with 'action' parameter containing 'magicform' from non-admin users
- Unexpected modifications to MagicForm settings or forms in database logs
Network Indicators:
- POST requests to admin-ajax.php with magicform-related actions from non-privileged user accounts
SIEM Query:
source="wordpress.log" AND ("admin-ajax.php" AND "magicform" AND NOT user_role="administrator")