Search criteria
3 vulnerabilities by websoudan
CVE-2026-6206 (GCVE-0-2026-6206)
Vulnerability from cvelistv5 – Published: 2026-05-14 08:24 – Updated: 2026-05-14 10:42
VLAI
Title
MW WP Form <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter
Summary
The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the _get_post_property_from_querystring() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| websoudan | MW WP Form |
Affected:
0 , ≤ 5.1.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6206",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T10:37:30.303141Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T10:42:52.973Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MW WP Form",
"vendor": "websoudan",
"versions": [
{
"lessThanOrEqual": "5.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kirasec"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the _get_post_property_from_querystring() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T08:24:26.532Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f2c39f6-3d37-4765-99e8-023610856b61?source=cve"
},
{
"url": "https://github.com/web-soudan/mw-wp-form/commit/77aed98f56fdddc19bddf21c8f12faa5086d9202"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3516013/mw-wp-form"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-10T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-04-13T12:08:15.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-13T19:51:32.000Z",
"value": "Disclosed"
}
],
"title": "MW WP Form \u003c= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via \u0027post_id\u0027 Query Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6206",
"datePublished": "2026-05-14T08:24:26.532Z",
"dateReserved": "2026-04-13T11:52:59.172Z",
"dateUpdated": "2026-05-14T10:42:52.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-46206 (GCVE-0-2023-46206)
Vulnerability from cvelistv5 – Published: 2025-01-02 12:00 – Updated: 2026-04-29 09:51
VLAI
Title
WordPress MW WP Form plugin <= 4.4.5 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Webの相談所 MW WP Form mw-wp-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MW WP Form: from n/a through <= 4.4.5.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Webの相談所 | MW WP Form |
Affected:
0 , ≤ 4.4.5
(custom)
|
Date Public
2026-04-22 14:34
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46206",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-02T17:41:15.137938Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T19:09:07.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "mw-wp-form",
"product": "MW WP Form",
"vendor": "Web\u306e\u76f8\u8ac7\u6240",
"versions": [
{
"changes": [
{
"at": "5.0.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.4.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Revan Arifio | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:34:26.832Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Web\u306e\u76f8\u8ac7\u6240 MW WP Form mw-wp-form allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects MW WP Form: from n/a through \u003c= 4.4.5.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Web\u306e\u76f8\u8ac7\u6240 MW WP Form mw-wp-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MW WP Form: from n/a through \u003c= 4.4.5."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T09:51:49.884Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/mw-wp-form/vulnerability/wordpress-mw-wp-form-plugin-4-4-5-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress MW WP Form plugin \u003c= 4.4.5 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-46206",
"datePublished": "2025-01-02T12:00:16.727Z",
"dateReserved": "2023-10-18T13:40:25.978Z",
"dateUpdated": "2026-04-29T09:51:49.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-24804 (GCVE-0-2024-24804)
Vulnerability from cvelistv5 – Published: 2024-02-10 07:45 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress MW WP Form Plugin <= 5.0.6 is vulnerable to Cross Site Scripting (XSS)
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in websoudan MW WP Form allows Stored XSS.This issue affects MW WP Form: from n/a through 5.0.6.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/mw-… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| websoudan | MW WP Form |
Affected:
n/a , ≤ 5.0.6
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24804",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-11T16:56:43.479232Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T20:46:36.874Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/mw-wp-form/wordpress-mw-wp-form-plugin-5-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "mw-wp-form",
"product": "MW WP Form",
"vendor": "websoudan",
"versions": [
{
"lessThanOrEqual": "5.0.6",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Huynh Tien Si (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in websoudan MW WP Form allows Stored XSS.\u003cp\u003eThis issue affects MW WP Form: from n/a through 5.0.6.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in websoudan MW WP Form allows Stored XSS.This issue affects MW WP Form: from n/a through 5.0.6."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:10.656Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/mw-wp-form/wordpress-mw-wp-form-plugin-5-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress MW WP Form Plugin \u003c= 5.0.6 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-24804",
"datePublished": "2024-02-10T07:45:51.290Z",
"dateReserved": "2024-01-31T13:55:07.177Z",
"dateUpdated": "2026-04-28T16:09:10.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}