FireBox Popups <= 3.1.7 - Unauthenticated Sensitive Information Exposure in 'form_id' Parameter
Description
The FireBox Popups – Increase Sales and Grow Your Email List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.7 via the 'form_id' parameter. This makes it possible for unauthenticated attackers to extract download a full CSV export of all form submissions — including any personally identifiable information submitted by users — for any arbitrary form_id.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
What Changed in the Fix
Changes introduced in v3.1.8
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-12120 ## 1. Vulnerability Summary **CVE-2026-12120** is a sensitive information exposure vulnerability in the **FireBox Popups** plugin (versions <= 3.1.7). The vulnerability exists within the `maybeExportSubmsissions` method of the `FireBox\Core\Admin\Admin`…
Show full research plan
Exploitation Research Plan - CVE-2026-12120
1. Vulnerability Summary
CVE-2026-12120 is a sensitive information exposure vulnerability in the FireBox Popups plugin (versions <= 3.1.7). The vulnerability exists within the maybeExportSubmsissions method of the FireBox\Core\Admin\Admin class.
The plugin fails to perform any authentication or authorization checks (such as current_user_can) or nonce verification before processing a request to export form submissions. An unauthenticated attacker can trigger a full CSV download of all PII (Personally Identifiable Information) submitted through any form by providing its form_id.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php(or any admin-context URL that triggers theAdminclass constructor). - Method:
GET - Parameters:
page: Must be set tofirebox-submissions.task: Must be set toexport.form_id: The ID of the form whose submissions are to be extracted.
- Authentication: None required (Unauthenticated).
- Preconditions:
- The plugin must be active.
- At least one form (campaign) must exist and have submissions.
- The attacker must know or guess the
form_id.
3. Code Flow
- Entry Point: An HTTP GET request is sent to
/wp-admin/admin-ajax.php?page=firebox-submissions&task=export&form_id=1. - Initialization: WordPress loads the admin environment. The FireBox plugin initializes its
Adminclass (likely via a hook likeadmin_initor simply upon being loaded in an admin context). - Constructor Execution:
Inc/Core/Admin/Admin.php: The__construct()method is called, which immediately invokes$this->maybeExportSubmsissions();(Line 60). - Vulnerable Method:
maybeExportSubmsissions()(Line 150) performs the following checks:if (!isset($_GET['task']) || $_GET['task'] !== 'export')(Line 152)if (!isset($_GET['form_id']))(Line 157)if (!isset($_GET['page']) || $_GET['page'] !== 'firebox-submissions')(Line 162)
- Data Extraction: If the checks pass, it proceeds to:
- Sanitize the
form_idusingsanitize_key()(Line 167). - Query the database for submissions matching that
form_idviafirebox()->tables->submission->getResults($payload)(Line 180). - Retrieve the form object via
\FireBox\Core\Helpers\Form\Form::getFormByID($form_id, true)(Line 185).
- Sanitize the
- File Generation & Sink:
- Prepares a payload of submissions including metadata (Line 191-224).
- Creates a temporary CSV file using
self::toCSV()(Line 228). - Sends HTTP headers for file transfer (
Content-Type: application/octet-stream,Content-Disposition: attachment) (Lines 234-241). - Reads and outputs the file content using
readfile($filename)(Line 247). - Calls
exit;(Line 251), terminating the request and preventing WordPress from performing its standard authentication redirects.
4. Nonce Acquisition Strategy
This vulnerability does not require a nonce.
The source code in Inc/Core/Admin/Admin.php explicitly uses //phpcs:ignore WordPress.Security.NonceVerification.Recommended (Lines 152, 157, 162, 167), confirming that the developers intentionally bypassed nonce verification for these parameters.
5. Exploitation Strategy
Step 1: Discover valid form_id
Forms/Campaigns in FireBox are stored as custom post types. IDs are typically sequential integers.
- Method A (Brute Force): Iterate through integers starting from 1.
- Method B (REST API): While the REST endpoints in
Inc/Core/API/Routes/Open/FireBox.php(/campaignsand/embeds) have a permission check (read_fireboxes), if a site has misconfigured permissions or a lower-privileged user is compromised, these endpoints will list all valid IDs.
Step 2: Extract Data
Send a crafted request using the http_request tool to download the CSV.
Request Details:
- URL:
http://<target>/wp-admin/admin-ajax.php?page=firebox-submissions&task=export&form_id=<ID> - Method:
GET - Expected Response:
200 OKwithContent-Type: application/octet-streamand CSV data in the body.
6. Test Data Setup
To verify the exploit in a controlled environment:
- Install FireBox: Ensure FireBox <= 3.1.7 is active.
- Create a Form: Create a new "FireBox" campaign containing a form.
- Find the ID: Note the Post ID of the created campaign (e.g.,
123). - Submit Data: Visit the frontend and submit the form with dummy data (e.g.,
Name: John Doe,Email: john@example.com). - Verify via CLI: Confirm the submission exists in the database.
wp db query "SELECT * FROM wp_firebox_submissions;"
7. Expected Results
- The server will respond with a file download.
- The HTTP headers will contain
Content-Disposition: attachment; filename="submissions_<form_name>_<date>.csv". - The body of the response will contain a CSV-formatted list of all submissions, including field values (email, names, etc.) that were submitted through the form.
8. Verification Steps
After executing the http_request:
- Check Status: Verify the status code is
200. - Check Headers: Verify
Content-Typeisapplication/octet-streamortext/csv. - Inspect Body: Check the response body for the dummy data submitted during setup (e.g., searching for "john@example.com").
- Plugin Verification: Check the plugin version to confirm it is 3.1.7 or lower.
wp plugin get firebox --field=version
9. Alternative Approaches
If /wp-admin/admin-ajax.php fails due to specific server-side security rules blocking unauthenticated access to the AJAX endpoint, attempt the same request against:
/wp-admin/admin-post.php?page=firebox-submissions&task=export&form_id=<ID>/wp-admin/admin.php?page=firebox-submissions&task=export&form_id=<ID>
The Admin class constructor logic in FireBox is generally triggered whenever the WordPress Admin environment is initialized, which occurs for all files inside the /wp-admin/ directory. Since the vulnerable function calls exit; at the end, it succeeds before WordPress can redirect the user to wp-login.php.
Summary
The FireBox Popups plugin for WordPress is vulnerable to unauthenticated sensitive information exposure in versions up to 3.1.7. This is due to the `maybeExportSubmsissions` function in the `Admin` class failing to perform any identity or capability checks, allowing an attacker to download a CSV export of all form submissions (including PII) for any form by providing its ID.
Vulnerable Code
/* Inc/Core/Admin/Admin.php line 58 */ public function __construct() { new \FireBox\Core\Notices\Ajax(); $this->maybeExportSubmsissions(); add_action('admin_head', [$this, 'set_gutenberg_editor_logo']); --- /* Inc/Core/Admin/Admin.php line 150 */ private function maybeExportSubmsissions() { if (!isset($_GET['task']) || $_GET['task'] !== 'export') //phpcs:ignore WordPress.Security.NonceVerification.Recommended { return; } if (!isset($_GET['form_id'])) //phpcs:ignore WordPress.Security.NonceVerification.Recommended { return; } if (!isset($_GET['page']) || $_GET['page'] !== 'firebox-submissions') //phpcs:ignore WordPress.Security.NonceVerification.Recommended { return; } $form_id = sanitize_text_field(wp_unslash($_GET['form_id'])); //phpcs:ignore WordPress.Security.NonceVerification.Recommended
Security Fix
@@ -39,7 +39,7 @@ { new \FireBox\Core\Notices\Ajax(); - $this->maybeExportSubmsissions(); + add_action('admin_init', [$this, 'maybeExportSubmsissions']); add_action('admin_head', [$this, 'set_gutenberg_editor_logo']); @@ -153,25 +153,78 @@ <?php } - private function maybeExportSubmsissions() + public function maybeExportSubmsissions() { - if (!isset($_GET['task']) || $_GET['task'] !== 'export') //phpcs:ignore WordPress.Security.NonceVerification.Recommended + if (!isset($_GET['task']) || $_GET['task'] !== 'export') { - return; - } + return; + } - if (!isset($_GET['form_id'])) //phpcs:ignore WordPress.Security.NonceVerification.Recommended + if (!isset($_GET['form_id'])) { return; } - if (!isset($_GET['page']) || $_GET['page'] !== 'firebox-submissions') //phpcs:ignore WordPress.Security.NonceVerification.Recommended + if (!isset($_GET['page']) || $_GET['page'] !== 'firebox-submissions') { return; } - $form_id = sanitize_text_field(wp_unslash($_GET['form_id'])); //phpcs:ignore WordPress.Security.NonceVerification.Recommended + // Authorization: only users who can view submissions may export them. + if (!current_user_can('read_fireboxes')) + { + return; + } + + // CSRF: verify the nonce generated on the submissions list page. + check_admin_referer('firebox-export-submissions');
Exploit Outline
An unauthenticated attacker can exploit this vulnerability by sending a GET request to any WordPress admin endpoint (e.g., /wp-admin/admin-ajax.php) with the following parameters: 'page' set to 'firebox-submissions', 'task' set to 'export', and 'form_id' set to the target form's ID. Because the plugin's Admin class constructor executes the export logic immediately upon initialization without checking for a valid session, capability, or nonce, the server generates and returns a CSV file containing all submissions for that form. The process terminates with an exit call before any standard authentication redirects occur, resulting in successful data extraction.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.