cleantalk
Vulnerabilities and Security Researches

Doppler Forms, CVE-2025-9544

CVE, Research URL

CVE-2025-9544

Home page URL

Security reports for Doppler Forms

Application

Doppler Forms

Published on
Oct 29, 2025
Research Description
The Doppler Forms WordPress plugin through 2.5.1 registers an AJAX action install_extension without verifying user capabilities or using a nonce. As a result, any authenticated user — including those with the Subscriber role — can install and activate additional Doppler Forms WordPress plugin through 2.5.1 (limited to those whitelisted by the main Doppler Forms WordPress plugin through 2.5.1).
Affected versions
max 2.6.0.
Status
vulnerable
Previous vulnerability researches
Ditty – Responsive News Tickers, Sliders, and Lists (CVE-2024-5575) , Jul 13, 2024
Ditty – Responsive News Tickers, Sliders, and Lists (CVE-2023-23874) , Jun 07, 2024
Ditty – Responsive News Tickers, Sliders, and Lists (CVE-2023-4148) , Jun 07, 2024
Ditty – Responsive News Tickers, Sliders, and Lists (CVE-2024-32569) , Jun 07, 2024
Ditty – Responsive News Tickers, Sliders, and Lists (CVE-2022-0533) , Jun 07, 2024
New vulnerability
IDPay Payment Gateway for Woocommerce (CVE-2026-34891) , Apr 27, 2026
Doppler Forms (CVE-2025-9544) , Apr 27, 2026
Acclectic Media Organizer (CVE-2025-48326) , Apr 27, 2026
Contact Form 7 reCAPTCHA (CVE-2025-8280) , Apr 27, 2026
Backup Migration (CVE-2026-39480) , Apr 27, 2026