[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fnsRGH0KzGRDYFEL4uXv_cuC7sxfmUO01VDZwwAHMifY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-14067","easy-form-builder-missing-authorization-to-authenticated-subscriber-sensitive-form-response-data-exposure","Easy Form Builder \u003C= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Response Data Exposure","The Easy Form Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive form response data, including messages, admin replies, and user information due to a logic error in the authorization check that uses AND (&&) instead of OR (||).","easy-form-builder",null,"\u003C=3.9.3","3.9.4","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authorization","2026-02-13 14:26:12","2026-02-14 03:25:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8fe397d3-68de-4358-8490-8fbafa1908ef?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan - CVE-2025-14067\n\n## 1. Vulnerability Summary\nThe **Easy Form Builder** plugin (versions \u003C= 3.9.3) contains a missing authorization vulnerability in several AJAX actions. The vulnerability stems from a logic error in the authorization check where the code uses a logical **AND (`&&`)** instead of a logical **OR (`||`)** when verifying user capabilities. This error allows any authenticated user with at least **Subscriber** level permissions to bypass intended administrative restrictions and access sensitive form response data, including user-submitted messages, admin replies, and personal information.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Vulnerable AJAX Actions**: \n    - `efb_get_responses_by_id` (Inferred)\n    - `efb_get_messages` (Inferred)\n    - `efb_get_report_details` (Inferred)\n- **Required Authentication**: Subscriber-level user or higher.\n- **Payload Parameters**:\n    - `action`: The vulnerable AJAX action (e.g., `efb_get_responses_by_id`).\n    - `id`: The ID of the form submission or message to retrieve.\n    - `nonce`: A valid security nonce (usually required for AJAX in this plugin).\n- **Vulnerability Mechanism**: The check `if ( ! current_user_can( 'manage_options' ) && ! is_user_logged_in() )` (or similar) incorrectly permits any logged-in user to pass, as `! is_user_logged_in()` evaluates to `false` for Subscribers, causing the entire `AND` condition to fail and bypass the `wp_die()` call.\n\n## 3. Code Flow\n1. **Entry Point**: The user sends a POST request to `admin-ajax.php` with a vulnerable `action`.\n2. **Hook Registration**: The plugin registers AJAX handlers in `includes\u002Fclass-easy-form-builder-ajax.php` (inferred) using `add_action( 'wp_ajax_...' )`.\n3. **Authorization Check (The Sink)**:\n   Inside the handler function (e.g., `get_responses_by_id`), the plugin performs a check similar to:\n   ```php\n   if ( ! current_user_can( 'manage_options' ) && ! is_user_logged_in() ) {\n       wp_die( 'Unauthorized' );\n   }\n   ```\n4. **Logic Failure**:\n   - For a Subscriber: `current_user_can( 'manage_options' )` is `false`, so `! current_user_can` is `true`.\n   - `is_user_logged_in()` is `true`, so `! is_user_logged_in()` is `false`.\n   - `true && false` evaluates to `false`.\n   - The `if` block is skipped, and the code proceeds to fetch data from the database.\n5. **Data Exposure**: The function queries `$wpdb->prefix . 'w_efb_responses'` and returns the sensitive data as a JSON response.\n\n## 4. Nonce Acquisition Strategy\nThe plugin typically enqueues a script and localizes it with a nonce for AJAX requests.\n\n1. **Identify Script Localization**: Look for `wp_localize_script` in the plugin's main files or admin classes. \n2. **Key Identifier**: The JS variable name is often `efb_var` or `w_efb_nonce`.\n3. **Extraction Steps**:\n   - Create a page containing an Easy Form Builder shortcode to ensure the scripts are loaded.\n   - Use `browser_navigate` as the Subscriber user to this page.\n   - Execute `browser_eval` to extract the nonce.\n   \n**Verification Command (for agent):**\n```javascript\n\u002F\u002F Example extraction\nbrowser_eval(\"window.efb_var?.nonce || window.w_efb_nonce\")\n```\n\n## 5. Exploitation Strategy\n1. **Pre-requisite**: An administrator must have at least one form with a submission.\n2. **Session**: Authenticate as a Subscriber user.\n3. **Nonce**: Obtain the nonce via `browser_eval` from any page where EFB scripts are active.\n4. **Target Request**:\n   - **Method**: POST\n   - **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Content-Type**: `application\u002Fx-www-form-urlencoded`\n   - **Body**:\n     ```\n     action=efb_get_responses_by_id&id=1&nonce=[EXTRACTED_NONCE]\n     ```\n5. **Observation**: If successful, the response will be a JSON object containing the full content of submission ID 1, including potentially private fields like email, phone number, and message content.\n\n## 6. Test Data Setup\n1. **Create Form**: Use WP-CLI to create a form or rely on default EFB setup.\n2. **Create Submission**: Simulate a form submission as a guest or admin to populate the `w_efb_responses` table.\n   ```bash\n   # Use the plugin's submission endpoint or insert directly via SQL if needed\n   wp db query \"INSERT INTO wp_w_efb_responses (form_id, content, user_info) VALUES (1, 'Sensitive Data', '{\\\"email\\\":\\\"victim@example.com\\\"}')\"\n   ```\n3. **Create Attacker**: Create a user with the `subscriber` role.\n   ```bash\n   wp user create attacker attacker@example.com --role=subscriber --user_pass=password\n   ```\n4. **Create Trigger Page**:\n   ```bash\n   wp post create --post_type=page --post_status=publish --post_title=\"Forms\" --post_content=\"[efb_form id='1']\"\n   ```\n\n## 7. Expected Results\n- **Success**: The server returns a `200 OK` status and a JSON body containing the details of the submission (e.g., `{\"status\": \"success\", \"data\": {...}}`).\n- **Failure (Patched)**: The server returns a `403 Forbidden` or `wp_die` message \"Unauthorized\" or similar.\n\n## 8. Verification Steps\n1. **Check Response**: Inspect the JSON response for sensitive fields (email, names, message body).\n2. **Database Cross-Reference**: Verify the returned ID and content match the entry in the `wp_w_efb_responses` table.\n   ```bash\n   wp db query \"SELECT * FROM wp_w_efb_responses WHERE id=1\"\n   ```\n\n## 9. Alternative Approaches\n- **Action Brute Force**: If `efb_get_responses_by_id` is not the exact name, check the `includes\u002Fclass-easy-form-builder-ajax.php` file for any `add_action('wp_ajax_...', ...)` registrations.\n- **Admin Reply Exposure**: Try the action `efb_get_messages` which is often used to display admin replies to specific form submissions.\n- **Reporting Endpoint**: Check for `efb_get_form_report`, which might expose aggregated form data.","The Easy Form Builder plugin for WordPress is vulnerable to sensitive data exposure due to a logical error in its authorization checks for multiple AJAX actions. By incorrectly using a logical 'AND' instead of 'OR' when verifying administrative privileges, the plugin allows any authenticated user, such as a Subscriber, to retrieve private form submissions and response data.","\u002F\u002F Inferred from: includes\u002Fclass-easy-form-builder-ajax.php\n\nif ( ! current_user_can( 'manage_options' ) && ! is_user_logged_in() ) {\n    wp_die( 'Unauthorized' );\n}\n\n---\n\n\u002F\u002F Impacted AJAX actions inferred from plugin logic:\n\u002F\u002F action=efb_get_responses_by_id\n\u002F\u002F action=efb_get_messages\n\u002F\u002F action=efb_get_report_details","--- a\u002Fincludes\u002Fclass-easy-form-builder-ajax.php\n+++ b\u002Fincludes\u002Fclass-easy-form-builder-ajax.php\n@@ -unknown,1 +unknown,1 @@\n-if ( ! current_user_can( 'manage_options' ) && ! is_user_logged_in() )\n+if ( ! current_user_can( 'manage_options' ) || ! is_user_logged_in() )","1. Authenticate to the WordPress site as a user with Subscriber-level permissions or higher.\n2. Navigate to a page where Easy Form Builder scripts are loaded (usually a page containing a form) and extract the security nonce from the global JavaScript variable 'efb_var' or 'w_efb_nonce'.\n3. Construct an AJAX request targeting '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' parameter set to 'efb_get_responses_by_id' and the 'id' parameter set to the ID of the submission to retrieve.\n4. Include the extracted nonce in the 'nonce' parameter.\n5. Send the POST request; due to the logic error (AND vs OR), the server will skip the authorization check and return a JSON object containing sensitive form submission data, including user emails and message content.","gemini-3-flash-preview","2026-04-20 23:43:31","2026-04-20 23:45:28",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.9.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-form-builder\u002Ftags\u002F3.9.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feasy-form-builder.3.9.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-form-builder\u002Ftags\u002F3.9.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feasy-form-builder.3.9.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-form-builder\u002Ftags"]