The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednao_smart_forms_entries_list AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form’s data, which could include sensitive information such as PII depending on the form.
[
{
"product": "Smart Forms – when you need more than just a contact form",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.6.71",
"status": "affected",
"version": "2.6.71",
"versionType": "custom"
}
]
}
]