GHSA-cvpc-hccg-wmw4
Formie: Missing authorization in administrative settings allows low-privileged CP users to modify plugin configuration
Details
Formie contains a missing authorization vulnerability in administrative settings routes. An authenticated, non-admin Craft CMS control panel user with limited Formie access could directly access Formie settings pages and modify global plugin configuration.
In affected versions, Formie settings-related control panel routes did not consistently enforce the required settings permission on the server side. A low-privileged Craft CMS control panel user with limited Formie access could access /admin/formie/settings, save changes to global plugin settings, and access /admin/formie/settings/import-export.
The issue has been fixed by enforcing the formie-accessSettings permission across Formie settings controllers and related settings actions.
### Impact An authenticated low-privileged CP user may be able to: - Access Formie administrative settings. - Modify global Formie plugin configuration. - Access Formie import/export settings functionality.
This may allow configuration tampering and disruption of form-related workflows. Exploitation requires an authenticated Craft CMS control panel account.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 3.1.28 composer require verbb/formie:^3.1.28