Smart Forms < 2.6.71 - Subscriber+ Form Data Download
CVE-2022-0163

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Smart Forms – When You Need More Than Just A Contact Form
Vendor: CVE Published:; 7 March 2022

Summary

The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednao_smart_forms_entries_list AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form.

Affected Version(s)

Smart Forms – when you need more than just a contact form 2.6.71

References

https://wpscan.com/vulnerability/2b6b0731-4515-498a-82bd-...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 7, 2022
Vulnerability Reserved
Jan 10, 2022

Credit

Krzysztof Zając