Ninja Forms < 3.6.8-wp – Unauthenticated Email Address Disclosure | Plugin Vulnerabilities

Description

The plugin does not delete the temporary files created when exporting submissions, which could allow unauthenticated attackers to download them and get sensitive information such as the email address of users who submitted a form given that the file is publicly accessible, and with a guessable name

Proof of Concept

The exported CSV (generated when exporting all submissions via the "Download All Submissions" button) are stored in the /wp-content/uploads/<year>/<month> folder using the following format: form-<id>-all-subs.csv

Example: https://example.com/wp-content/uploads/2022/03/form-1-all-subs.csv

Affects Plugins

Fixed in 3.6.8-wp

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Agence Web Coheractio

Verified

Yes

WPVDB ID

cec7d366-7663-4b83-9640-a58f2fcf5e41

Timeline

Publicly Published

2022-03-22 (about 3 years ago)

Added

2022-03-22 (about 3 years ago)

Last Updated

2022-03-23 (about 3 years ago)

Other

Published

Title

Published

2024-10-09

Title

Keep Backup Daily <= 2.1.1 - Unauthenticated Information Disclosure

Published

2024-08-28

Title

Popup Builder < 4.3.7 - Sensitive Information Exposure via Imported Subscribers CSV File

Published

2024-03-04

Title

JM Twitter Cards < 14.1.0 - Password Protected Post Access

Published

2024-07-12

Title

Zephyr Project Manager < 3.3.100 - Unauthenticated Information Exposure

Published

2024-12-11

Title

WP-NERD Toolkit <= 1.1 - Unauthenticated Information Exposure