CVE-2022-0140

Visual Form Builder < 3.0.6 - Unauthenticated Information Disclosure

EPSS 3.8%

Vexday Risk Score

18Low

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS —EPSS 3.8%KEV nãoPoC —Nuclei simMetasploit —Patch —

Lifecycle

12 Apr 2022Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint.

Affected products

Unknown · Visual Form Builder

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336 https://www.fortiguard.com/zeroday/FG-VD-21-082