CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0163 – Smart Forms < 2.6.71 - Subscriber+ Form Data Download
https://notcve.org/view.php?id=CVE-2022-0163
The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednao_smart_forms_entries_list AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form. El plugin Smart Forms de WordPress versiones anteriores a 2.6.71, no presenta autorización en su acción AJAX rednao_smart_forms_entries_list, permitiendo a cualquier usuario autenticado, como el suscriptor, descargar datos arbitrarios del formulario, que podrían incluir información confidencial como PII dependiendo del formulario • https://wpscan.com/vulnerability/2b6b0731-4515-498a-82bd-d416f5885268 • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-5924 – Smart Forms < 2.6.26 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2019-5924
Cross-site request forgery (CSRF) vulnerability in Smart Forms 2.6.15 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted page. Una vulnerabilidad de Cross-Site Request Forgery (CSRF) en Smart Forms, en su versión 2.6.15 y anteriores, permite a los atacantes remotos secuestrar la autenticación de administradores mediante una página especialmente manipulada. • http://jvn.jp/jp/JVN97656108/index.html https://wordpress.org/plugins/smart-forms/#developers https://wpvulndb.com/vulnerabilities/9232 • CWE-352: Cross-Site Request Forgery (CSRF) •