Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-0140

CWE-306Missing AuthenticationCWE-200Information Exposure5 documents5 sources
Severity
5.3MEDIUM
EPSS
12.2%
top 6.17%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Unknown Visual Form BuilderVfbpro Visual Form Builder
Timeline
PublishedApr 12
Latest updateJan 10

Description

The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5unknown/visual_form_builder< 3.0.6

🔴Vulnerability Details

2
GHSA
GHSA-rmwm-c9cm-59pw: The Visual Form Builder WordPress plugin before 32022-04-13
CVEList
Visual Form Builder < 3.0.6 - Unauthenticated Information Disclosure2022-04-12

💥Exploits & PoCs

1
Nuclei
WordPress Visual Form Builder <3.0.8 - Information Disclosure

📋Vendor Advisories

1
Chrome
Stable Channel Update for Desktop: CVE-2023-01382023-01-10
CVE-2022-0140 (MEDIUM CVSS 5.3) | The Visual Form Builder WordPress p | cvebase.io