CVE-2022-0140 (GCVE-0-2022-0140)

Vulnerability from cvelistv5 – Published: 2022-04-12 11:15 – Updated: 2024-08-02 23:18
VLAI?
Title
Visual Form Builder < 3.0.6 - Unauthenticated Information Disclosure
Summary
The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint.
Severity ?
No CVSS data available.
CWE
Assigner
References
Impacted products
Vendor Product Version
Unknown Visual Form Builder Affected: 0 , < 3.0.6 (custom)
Create a notification for this product.
Credits
Vishnupriya Ilango of Fortinet's FortiGuard Labs WPScan
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:18:41.793Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "exploit",
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.fortiguard.com/zeroday/FG-VD-21-082"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "product": "Visual Form Builder",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThan": "3.0.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Vishnupriya Ilango of Fortinet\u0027s FortiGuard Labs"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "WPScan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-306 Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-24T09:16:04.380Z",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "exploit",
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336"
        },
        {
          "url": "https://www.fortiguard.com/zeroday/FG-VD-21-082"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Visual Form Builder \u003c 3.0.6 - Unauthenticated Information Disclosure",
      "x_generator": {
        "engine": "WPScan CVE Generator"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2022-0140",
    "datePublished": "2022-04-12T11:15:20",
    "dateReserved": "2022-01-06T00:00:00",
    "dateUpdated": "2024-08-02T23:18:41.793Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vfbpro:visual_form_builder:*:*:*:*:*:wordpress:*:*\", \"versionEndExcluding\": \"3.0.6\", \"matchCriteriaId\": \"2525917B-7FE5-465E-9AF3-0C716783530B\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint.\"}, {\"lang\": \"es\", \"value\": \"El plugin Visual Form Builder WordPress antes de la versi\\u00f3n 3.0.8 no realiza un control de acceso en la exportaci\\u00f3n de formularios de entrada, permitiendo a los usuarios no autentificados ver las entradas del formulario o exportarlo como un archivo CSV usando el endpoint vfb-export\"}]",
      "id": "CVE-2022-0140",
      "lastModified": "2024-11-21T06:37:59.240",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-04-12T12:15:08.183",
      "references": "[{\"url\": \"https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://www.fortiguard.com/zeroday/FG-VD-21-082\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://www.fortiguard.com/zeroday/FG-VD-21-082\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "contact@wpscan.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-306\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-0140\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2022-04-12T12:15:08.183\",\"lastModified\":\"2024-11-21T06:37:59.240\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint.\"},{\"lang\":\"es\",\"value\":\"El plugin Visual Form Builder WordPress antes de la versi\u00f3n 3.0.8 no realiza un control de acceso en la exportaci\u00f3n de formularios de entrada, permitiendo a los usuarios no autentificados ver las entradas del formulario o exportarlo como un archivo CSV usando el endpoint vfb-export\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vfbpro:visual_form_builder:*:*:*:*:*:wordpress:*:*\",\"versionEndExcluding\":\"3.0.6\",\"matchCriteriaId\":\"2525917B-7FE5-465E-9AF3-0C716783530B\"}]}]}],\"references\":[{\"url\":\"https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.fortiguard.com/zeroday/FG-VD-21-082\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.fortiguard.com/zeroday/FG-VD-21-082\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.