WordPress Plugin Vulnerabilities

Visual Form Builder < 3.0.8 - Entries Deletion/Restoration via CSRF

Description

The plugin does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks

Proof of Concept

Affects Plugins

Plugin icon
visual-form-builder
Fixed in 3.0.8

References

CVE
CVE-2022-0141
URL
https://www.fortiguard.com/zeroday/FG-VD-21-081

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Vishnupriya Ilango of Fortinet's FortiGuard Labs
Submitter
Vishnupriya ilango
Submitter website
https://www.fortiguard.com/zeroday
Verified
Yes
WPVDB ID
2adc8390-bb19-4adf-9805-e9c462d14d22

Timeline

Publicly Published
2022-04-11 (about 3 years ago)
Added
2022-04-11 (about 3 years ago)
Last Updated
2023-03-11 (about 2 years ago)

Other

Published
Title
Published
2025-03-04
Title
Spreadsheet Integration < 3.8.3 - Cross-Site Request Forgery to Arbitrary Post Publish
Published
2021-12-24
Title
Spreadsheet Integration < 3.6.0 - CSRF Bypass
Published
2022-09-23
Title
SEO Redirection < 9.1 - 404 Error & History Deletion via CSRF
Published
2023-05-19
Title
Groundhogg < 2.7.10 - Ticket Creation via CSRF
Published
2025-06-19
Title
WP Inventory Manager <= 2.3.4 - Cross-Site Request Forgery