CVE-2022-1046

The CVE-2022-1046 entry concerns the WordPress Visual Form Builder plugin prior to 3.0.7. The vulnerability arises because the plugin does not sanitize and escape the form field labeled 'Email to', enabling stored Cross-Site Scripting (XSS) by high-privilege users even when unfiltered_html is dis...

CVE-2022-0140

The CVE-2022-0140 issue affects WordPress Visual Form Builder plugin prior to 3.0.6 (also documented up to 3.0.8 in Nuclei templates). The vulnerability is an information-disclosure flaw caused by missing access control on the entry form export (vfb-export endpoint), allowing unauthenticated user...

CVE-2022-0141

The CVE details a CSRF vulnerability in the WordPress Visual Form Builder plugin, affecting versions prior to 3.0.8. The root cause is that nonce checks are not enforced, allowing an attacker who can lure a logged-in admin/editor to perform actions that delete and restore arbitrary form entries. ...

CVE-2022-0142

The CVE-2022-0142 entry concerns the WordPress Visual Form Builder plugin, affected version(s) before 3.0.8. The vulnerability is a CSV injection flaw that allows a user with low or no privileges to inject a command into exported CSV data, with the potential for code execution. Concretely, the is...

CVE-2021-24514

CVE-2021-24514 – Visual Form Builder (WordPress) Root cause: The Visual Form Builder plugin is affected by a stored XSS vulnerability due to insufficient sanitization/escaping of the Form Name. This allows high-privilege users (e.g., admin) to inject XSS payloads, even when unfiltered_html is dis...