Can you explain this vulnerability to me?

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 6.0.6. This means the plugin does not properly verify whether a user is authorized to perform certain actions.

As a result, authenticated users with subscriber-level access or higher can view all Kirki frontend forms and read stored visitor form submission data, including contact details, messages, and any other information submitted through site forms.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows attackers with low-level authenticated access to view sensitive visitor data submitted through site forms. This can lead to unauthorized disclosure of personal information such as contact details and messages.

The exposure of such data can compromise user privacy and potentially lead to further attacks or misuse of the information.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows authenticated attackers with subscriber-level access to view all Kirki frontend forms and read stored visitor form submission data, including contact details and messages.

This unauthorized access to personal and visitor-provided information could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal data.

Therefore, the vulnerability potentially compromises compliance with these standards by exposing sensitive user data without proper authorization.

Useful 0 Not Useful 0