VDB
KO
MEDIUM 6.3

GHSA-cvpc-hccg-wmw4

Formie: Missing authorization in administrative settings allows low-privileged CP users to modify plugin configuration

Details

Formie contains a missing authorization vulnerability in administrative settings routes. An authenticated, non-admin Craft CMS control panel user with limited Formie access could directly access Formie settings pages and modify global plugin configuration.

In affected versions, Formie settings-related control panel routes did not consistently enforce the required settings permission on the server side. A low-privileged Craft CMS control panel user with limited Formie access could access /admin/formie/settings, save changes to global plugin settings, and access /admin/formie/settings/import-export.

The issue has been fixed by enforcing the formie-accessSettings permission across Formie settings controllers and related settings actions.

### Impact An authenticated low-privileged CP user may be able to: - Access Formie administrative settings. - Modify global Formie plugin configuration. - Access Formie import/export settings functionality.

This may allow configuration tampering and disruption of form-related workflows. Exploitation requires an authenticated Craft CMS control panel account.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / verbb/formie
Introduced in: 0 Fixed in: 3.1.28
Fix composer require verbb/formie:^3.1.28

References