CVE-2025-9544

MEDIUM 6.5

Doppler Forms <= 2.5.1 - Subscriber+ Limited Plugin Installation

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

9th

The Doppler Forms WordPress plugin through 2.5.1 registers an AJAX action install_extension without verifying user capabilities or using a nonce. As a result, any authenticated user — including those with the Subscriber role — can install and activate additional Doppler Forms WordPress plugin through 2.5.1 (limited to those whitelisted by the main Doppler Forms WordPress plugin through 2.5.1).

Vendor	unknown
Product	doppler forms
Published	Oct 29, 2025
Last Updated	Apr 2, 2026

Stay Ahead of the Next One

Get instant alerts for unknown doppler forms

Be the first to know when new medium vulnerabilities affecting unknown doppler forms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / Doppler Forms

0 ≤ 2.5.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/06312fba-dfc5-47af-afe3-b01d8941acbf/

Credits

Khaled Alenazi (Nxploited) WPScan