CVE-2022-0140
published 2022-04-12CVE-2022-0140: The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form…
PriorityP341medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
3.84%
88.8th percentile
The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chrome_chrome | — | — | |
| vfbpro | visual_form_builder | < 3.0.6 | 3.0.6 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rmwm-c9cm-59pw: The Visual Form Builder WordPress plugin before 3
ghsa_unreviewed·2022-04-13
CVE-2022-0140 [MEDIUM] CWE-200 GHSA-rmwm-c9cm-59pw: The Visual Form Builder WordPress plugin before 3
The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint.
Chrome
Stable Channel Update for Desktop: CVE-2023-0138
vendor_chrome·2023-01-10·CVSS 8.8
CVE-2023-0138 [LOW] Stable Channel Update for Desktop: CVE-2023-0138
Stable Channel Update for Desktop
CVE-2023-0138: Heap buffer overflow in libphonenumber. Reported by Michael Dau on 2022-07-23 [$2000][ 1367632 ] Low CVE-2023-0139: Insufficient validation of untrusted input in Downloads
Reported by Axel Chong on 2022-09-24 [$1000][ 1326788 ] Low CVE-2023-0140: Inappropriate implementation in File System API
Severity: low
No detection rules found.
Nuclei
WordPress Visual Form Builder <3.0.8 - Information Disclosure
nuclei·CVSS 5.3
CVE-2022-0140 [MEDIUM] WordPress Visual Form Builder <3.0.8 - Information Disclosure
WordPress Visual Form Builder <3.0.8 - Information Disclosure
WordPress Visual Form Builder plugin before 3.0.8 contains a information disclosure vulnerability. The plugin does not perform access control on entry form export, allowing an unauthenticated user to export the form entries as CSV files using the vfb-export endpoint.
Template:
id: CVE-2022-0140
info:
name: WordPress Visual Form Builder <3.0.8 - Information Disclosure
author: random-robbie
severity: medium
description: |
WordPress Visual Form Builder plugin before 3.0.8 contains a information disclosure vulnerability. The plugin does not perform access control on entry form export, allowing an unauthenticated user to export the form entries as CSV files using the vfb-export endpoint.
impact: |
Successful exploitation of this
No writeups or analysis indexed.
2022-04-12
Published