WordPress Plugin Vulnerabilities

Easy Form Builder < 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Response Data Exposure

Description

The Easy Form Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive form response data, including messages, admin replies, and user information due to a logic error in the authorization check that uses AND (&&) instead of OR (||).

Affects Plugins

Plugin icon
easy-form-builder
Fixed in 3.9.4

References

CVE
CVE-2025-14067
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8fe397d3-68de-4358-8490-8fbafa1908ef

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Itthidej Aramsri (Boeing777)
Verified
No
WPVDB ID
ad8ec95e-2cc6-4645-bb6a-37a11bef23a1

Timeline

Publicly Published
2026-02-13 (about 1 month ago)
Added
2026-02-13 (about 1 month ago)
Last Updated
2026-02-14 (about 1 month ago)

Other

Published
Title
Published
2025-01-16
Title
Team 118GROUP Agent <= 1.6.0 - Missing Authorization to Unauthenticated Arbitrary Content Deletion
Published
2025-10-10
Title
Newsup < 5.0.11 - Missing Authorization to Authenticated (Subscriber+) Plugin Installation
Published
2025-01-16
Title
Minterpress <= 1.0.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion
Published
2023-10-06
Title
Customer Reviews for WooCommerce < 5.36.1 - Missing Authorization in Reviews Exporter
Published
2025-05-07
Title
Blocksy < 2.0.98 - Missing Authorization