CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2023-49856 – Smart Forms <= 2.6.84 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2023-49856
The Smart Forms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the smart_forms_save_settings() function hooked via AJAX in versions up to, and including, 2.6.84. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options which can be used for remote code execution. • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0163 – Smart Forms < 2.6.71 - Subscriber+ Form Data Download
https://notcve.org/view.php?id=CVE-2022-0163
The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednao_smart_forms_entries_list AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form. El plugin Smart Forms de WordPress versiones anteriores a 2.6.71, no presenta autorización en su acción AJAX rednao_smart_forms_entries_list, permitiendo a cualquier usuario autenticado, como el suscriptor, descargar datos arbitrarios del formulario, que podrían incluir información confidencial como PII dependiendo del formulario • https://wpscan.com/vulnerability/2b6b0731-4515-498a-82bd-d416f5885268 • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-5924 – Smart Forms < 2.6.26 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2019-5924
Cross-site request forgery (CSRF) vulnerability in Smart Forms 2.6.15 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted page. Una vulnerabilidad de Cross-Site Request Forgery (CSRF) en Smart Forms, en su versión 2.6.15 y anteriores, permite a los atacantes remotos secuestrar la autenticación de administradores mediante una página especialmente manipulada. • http://jvn.jp/jp/JVN97656108/index.html https://wordpress.org/plugins/smart-forms/#developers https://wpvulndb.com/vulnerabilities/9232 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8803 – Smart Forms – when you need more than just a contact form <= 2.1.0 - Missing Authorization
https://notcve.org/view.php?id=CVE-2014-8803
The Smart Forms – when you need more than just a contact form plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the rednao_smart_forms_save_form_values function in versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to edit forms, including entering stored cross-site scripting, as output is not properly escaped. • CWE-862: Missing Authorization •