WordPress Plugin Vulnerabilities

Visual Form Builder < 3.0.6 - Unauthenticated Information Disclosure

Description

The plugin does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint.

Proof of Concept

Affects Plugins

Plugin icon
visual-form-builder
Fixed in 3.0.6

References

CVE
CVE-2022-0140
URL
https://www.fortiguard.com/zeroday/FG-VD-21-082

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.8 (medium)

Miscellaneous

Original Researcher
Vishnupriya Ilango of Fortinet's FortiGuard Labs
Submitter
Vishnupriya ilango
Submitter website
https://www.fortiguard.com/zeroday
Verified
Yes
WPVDB ID
9fa2b3b6-2fe3-40f0-8f71-371dd58fe336

Timeline

Publicly Published
2021-11-03 (about 4 years ago)
Added
2022-04-11 (about 3 years ago)
Last Updated
2023-07-24 (about 2 years ago)

Other

Published
Title
Published
2025-08-26
Title
Parallax Section block < 2.0.0 - Missing Authorization
Published
2026-01-16
Title
Wallet System for WooCommerce < 2.7.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Wallet Balance Manipulation
Published
2024-12-11
Title
de:branding <= 1.0.2 - Authenticated (Subscriber+) Arbitrary Options Update
Published
2025-01-24
Title
Bridge Core < 3.3.1 - Missing Authorization
Published
2025-11-18
Title
CBX Bookmark & Favorite < 2.0.2 - Missing Authorization