The sb_elem_cfd_download_csv function, registered as an admin_init() hook does not have capability and CSRF checks, allowing unauthenticated attackers to download arbitrary form submissions as a CSV. The data will include PII such as email addresses. A CSRF check was added, but no capability one, so the vulnerability would still be exploitable if attackers managed to get the related nonce generated for their session.
https://example.com/wp-admin/admin-post.php?download_csv=1&form_name=358 https://example.com/wp-admin/admin-post.php?download_csv=1&form_id=NewForm
Yes
2021-01-13 (about 2 years ago)
2021-01-13 (about 2 years ago)
2021-01-13 (about 2 years ago)