CVE-2022-0163 Smart Forms < 2.6.71 - Subscriber+ Form Data Download

2022-03-0708:16:22

CWE-862

WPScan

www.cve.org

smart forms

authorization

vulnerability

data download

wordpress

plugin

pii

EPSS

0.001

Percentile

32.8%

JSON

The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednao_smart_forms_entries_list AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form’s data, which could include sensitive information such as PII depending on the form.

CNA Affected

[
  {
    "product": "Smart Forms – when you need more than just a contact form",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "2.6.71",
        "status": "affected",
        "version": "2.6.71",
        "versionType": "custom"
      }
    ]
  }
]

References

wpscan.com/vulnerability/2b6b0731-4515-498a-82bd-d416f5885268

EPSS

0.001

Percentile

32.8%

JSON

Related for CVELIST:CVE-2022-0163