Zero-Day Advisory
Fortinet Discovers WordPress Visual Form Builder Plugin Information Disclosure Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered a Information Disclosure vulnerability in WordPress Visual Form Builder Plugin.
Visual Form Builder is a plugin that allows you to build and manage all kinds of forms for your website in a single place. It has over 50,000+ active installations.
The Visual Form Builder plugin does not perform access control on entry form export. Any unauthenticated user will be able to see the form entries or export it as a CSV File using the vfb-export endpoint.
Solutions
FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:WordPress.Visual.Form.Builder.Plugin.Information.Disclosure
Released Jun 06, 2022
Upgrade to version 3.0.7 or higher.
Timeline
Fortinet reported the vulnerability to VFBpro Team on Oct 29, 2021
VFBpro Team confirmed the vulnerability on Nov 3, 2021
VFBpro Team patched the vulnerability on Nov 3, 2021