[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8EGvAHNolSs2vqV95f4wL8RT7MS9AdsrW7qxUyvt2Ws":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-12120","firebox-popups-unauthenticated-sensitive-information-exposure-in-formid-parameter","FireBox Popups \u003C= 3.1.7 - Unauthenticated Sensitive Information Exposure in 'form_id' Parameter","The FireBox Popups – Increase Sales and Grow Your Email List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.7 via the 'form_id' parameter. This makes it possible for unauthenticated attackers to extract download a full CSV export of all form submissions — including any personally identifiable information submitted by users — for any arbitrary form_id.","firebox",null,"\u003C=3.1.7","3.1.8","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-06-17 00:00:00","2026-06-18 04:31:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F54f939f9-2853-401a-adc0-5b727da5179b?source=api-prod",1,[22,23,24,25,26,27,28,29],"Inc\u002FCore\u002FAPI\u002FAPI.php","Inc\u002FCore\u002FAPI\u002FEndpointController.php","Inc\u002FCore\u002FAPI\u002FManager.php","Inc\u002FCore\u002FAPI\u002FRoutes\u002FOpen\u002FFireBox.php","Inc\u002FCore\u002FAdmin\u002FAdmin.php","Inc\u002FCore\u002FAdmin\u002FAdminPageSettings.php","Inc\u002FCore\u002FAdmin\u002FCapabilities.php","Inc\u002FCore\u002FAdmin\u002FForms\u002FImport.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-12120\n\n## 1. Vulnerability Summary\n**CVE-2026-12120** is a sensitive information exposure vulnerability in the **FireBox Popups** plugin (versions \u003C= 3.1.7). The vulnerability exists within the `maybeExportSubmsissions` method of the `FireBox\\Core\\Admin\\Admin` class. \n\nThe plugin fails to perform any authentication or authorization checks (such as `current_user_can`) or nonce verification before processing a request to export form submissions. An unauthenticated attacker can trigger a full CSV download of all PII (Personally Identifiable Information) submitted through any form by providing its `form_id`.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` (or any admin-context URL that triggers the `Admin` class constructor).\n*   **Method:** `GET`\n*   **Parameters:**\n    *   `page`: Must be set to `firebox-submissions`.\n    *   `task`: Must be set to `export`.\n    *   `form_id`: The ID of the form whose submissions are to be extracted.\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:**\n    *   The plugin must be active.\n    *   At least one form (campaign) must exist and have submissions.\n    *   The attacker must know or guess the `form_id`.\n\n## 3. Code Flow\n1.  **Entry Point:** An HTTP GET request is sent to `\u002Fwp-admin\u002Fadmin-ajax.php?page=firebox-submissions&task=export&form_id=1`.\n2.  **Initialization:** WordPress loads the admin environment. The FireBox plugin initializes its `Admin` class (likely via a hook like `admin_init` or simply upon being loaded in an admin context).\n3.  **Constructor Execution:** `Inc\u002FCore\u002FAdmin\u002FAdmin.php`: The `__construct()` method is called, which immediately invokes `$this->maybeExportSubmsissions();` (Line 60).\n4.  **Vulnerable Method:** `maybeExportSubmsissions()` (Line 150) performs the following checks:\n    *   `if (!isset($_GET['task']) || $_GET['task'] !== 'export')` (Line 152)\n    *   `if (!isset($_GET['form_id']))` (Line 157)\n    *   `if (!isset($_GET['page']) || $_GET['page'] !== 'firebox-submissions')` (Line 162)\n5.  **Data Extraction:** If the checks pass, it proceeds to:\n    *   Sanitize the `form_id` using `sanitize_key()` (Line 167).\n    *   Query the database for submissions matching that `form_id` via `firebox()->tables->submission->getResults($payload)` (Line 180).\n    *   Retrieve the form object via `\\FireBox\\Core\\Helpers\\Form\\Form::getFormByID($form_id, true)` (Line 185).\n6.  **File Generation & Sink:**\n    *   Prepares a payload of submissions including metadata (Line 191-224).\n    *   Creates a temporary CSV file using `self::toCSV()` (Line 228).\n    *   Sends HTTP headers for file transfer (`Content-Type: application\u002Foctet-stream`, `Content-Disposition: attachment`) (Lines 234-241).\n    *   Reads and outputs the file content using `readfile($filename)` (Line 247).\n    *   Calls `exit;` (Line 251), terminating the request and preventing WordPress from performing its standard authentication redirects.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability **does not require a nonce**. \nThe source code in `Inc\u002FCore\u002FAdmin\u002FAdmin.php` explicitly uses `\u002F\u002Fphpcs:ignore WordPress.Security.NonceVerification.Recommended` (Lines 152, 157, 162, 167), confirming that the developers intentionally bypassed nonce verification for these parameters.\n\n## 5. Exploitation Strategy\n### Step 1: Discover valid `form_id`\nForms\u002FCampaigns in FireBox are stored as custom post types. IDs are typically sequential integers.\n*   **Method A (Brute Force):** Iterate through integers starting from 1.\n*   **Method B (REST API):** While the REST endpoints in `Inc\u002FCore\u002FAPI\u002FRoutes\u002FOpen\u002FFireBox.php` (`\u002Fcampaigns` and `\u002Fembeds`) have a permission check (`read_fireboxes`), if a site has misconfigured permissions or a lower-privileged user is compromised, these endpoints will list all valid IDs.\n\n### Step 2: Extract Data\nSend a crafted request using the `http_request` tool to download the CSV.\n\n**Request Details:**\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php?page=firebox-submissions&task=export&form_id=\u003CID>`\n*   **Method:** `GET`\n*   **Expected Response:** `200 OK` with `Content-Type: application\u002Foctet-stream` and CSV data in the body.\n\n## 6. Test Data Setup\nTo verify the exploit in a controlled environment:\n1.  **Install FireBox:** Ensure FireBox \u003C= 3.1.7 is active.\n2.  **Create a Form:** Create a new \"FireBox\" campaign containing a form.\n3.  **Find the ID:** Note the Post ID of the created campaign (e.g., `123`).\n4.  **Submit Data:** Visit the frontend and submit the form with dummy data (e.g., `Name: John Doe`, `Email: john@example.com`).\n5.  **Verify via CLI:** Confirm the submission exists in the database.\n    ```bash\n    wp db query \"SELECT * FROM wp_firebox_submissions;\"\n    ```\n\n## 7. Expected Results\n*   The server will respond with a file download.\n*   The HTTP headers will contain `Content-Disposition: attachment; filename=\"submissions_\u003Cform_name>_\u003Cdate>.csv\"`.\n*   The body of the response will contain a CSV-formatted list of all submissions, including field values (email, names, etc.) that were submitted through the form.\n\n## 8. Verification Steps\nAfter executing the `http_request`:\n1.  **Check Status:** Verify the status code is `200`.\n2.  **Check Headers:** Verify `Content-Type` is `application\u002Foctet-stream` or `text\u002Fcsv`.\n3.  **Inspect Body:** Check the response body for the dummy data submitted during setup (e.g., searching for \"john@example.com\").\n4.  **Plugin Verification:** Check the plugin version to confirm it is 3.1.7 or lower.\n    ```bash\n    wp plugin get firebox --field=version\n    ```\n\n## 9. Alternative Approaches\nIf `\u002Fwp-admin\u002Fadmin-ajax.php` fails due to specific server-side security rules blocking unauthenticated access to the AJAX endpoint, attempt the same request against:\n*   `\u002Fwp-admin\u002Fadmin-post.php?page=firebox-submissions&task=export&form_id=\u003CID>`\n*   `\u002Fwp-admin\u002Fadmin.php?page=firebox-submissions&task=export&form_id=\u003CID>`\n\nThe `Admin` class constructor logic in FireBox is generally triggered whenever the WordPress Admin environment is initialized, which occurs for all files inside the `\u002Fwp-admin\u002F` directory. Since the vulnerable function calls `exit;` at the end, it succeeds before WordPress can redirect the user to `wp-login.php`.","The FireBox Popups plugin for WordPress is vulnerable to unauthenticated sensitive information exposure in versions up to 3.1.7. This is due to the `maybeExportSubmsissions` function in the `Admin` class failing to perform any identity or capability checks, allowing an attacker to download a CSV export of all form submissions (including PII) for any form by providing its ID.","\u002F* Inc\u002FCore\u002FAdmin\u002FAdmin.php line 58 *\u002F\n\tpublic function __construct()\n\t{\n\t\tnew \\FireBox\\Core\\Notices\\Ajax();\n\n\t\t$this->maybeExportSubmsissions();\n\n\t\tadd_action('admin_head', [$this, 'set_gutenberg_editor_logo']);\n\n---\n\n\u002F* Inc\u002FCore\u002FAdmin\u002FAdmin.php line 150 *\u002F\n\tprivate function maybeExportSubmsissions()\n\t{\n        if (!isset($_GET['task']) || $_GET['task'] !== 'export') \u002F\u002Fphpcs:ignore WordPress.Security.NonceVerification.Recommended\n\t\t{\n            return;\n        }\n\n\t\tif (!isset($_GET['form_id'])) \u002F\u002Fphpcs:ignore WordPress.Security.NonceVerification.Recommended\n\t\t{\n\t\t\treturn;\n\t\t}\n\n\t\tif (!isset($_GET['page']) || $_GET['page'] !== 'firebox-submissions') \u002F\u002Fphpcs:ignore WordPress.Security.NonceVerification.Recommended\n\t\t{\n\t\t\treturn;\n\t\t}\n\n\t\t$form_id = sanitize_text_field(wp_unslash($_GET['form_id'])); \u002F\u002Fphpcs:ignore WordPress.Security.NonceVerification.Recommended","--- \u002FInc\u002FCore\u002FAdmin\u002FAdmin.php\n+++ \u002FInc\u002FCore\u002FAdmin\u002FAdmin.php\n@@ -39,7 +39,7 @@\n \t{\n \t\tnew \\FireBox\\Core\\Notices\\Ajax();\n \n-\t\t$this->maybeExportSubmsissions();\n+\t\tadd_action('admin_init', [$this, 'maybeExportSubmsissions']);\n \n \t\tadd_action('admin_head', [$this, 'set_gutenberg_editor_logo']);\n \t\t\n@@ -153,25 +153,78 @@\n \t\t\u003C?php\n \t}\n \n-\tprivate function maybeExportSubmsissions()\n+\tpublic function maybeExportSubmsissions()\n \t{\n-\t\tif (!isset($_GET['task']) || $_GET['task'] !== 'export') \u002F\u002Fphpcs:ignore WordPress.Security.NonceVerification.Recommended\n+\t\tif (!isset($_GET['task']) || $_GET['task'] !== 'export')\n \t\t{\n-\t\t\treturn;\n-\t\t}\n+\t\t\treturn;\n+\t\t}\n \n-\t\tif (!isset($_GET['form_id'])) \u002F\u002Fphpcs:ignore WordPress.Security.NonceVerification.Recommended\n+\t\tif (!isset($_GET['form_id']))\n \t\t{\n \t\t\treturn;\n \t\t}\n \n-\t\tif (!isset($_GET['page']) || $_GET['page'] !== 'firebox-submissions') \u002F\u002Fphpcs:ignore WordPress.Security.NonceVerification.Recommended\n+\t\tif (!isset($_GET['page']) || $_GET['page'] !== 'firebox-submissions')\n \t\t{\n \t\t\treturn;\n \t\t}\n \n-\t\t$form_id = sanitize_text_field(wp_unslash($_GET['form_id'])); \u002F\u002Fphpcs:ignore WordPress.Security.NonceVerification.Recommended\n+\t\t\u002F\u002F Authorization: only users who can view submissions may export them.\n+\t\tif (!current_user_can('read_fireboxes'))\n+\t\t{\n+\t\t\treturn;\n+\t\t}\n+\n+\t\t\u002F\u002F CSRF: verify the nonce generated on the submissions list page.\n+\t\tcheck_admin_referer('firebox-export-submissions');","An unauthenticated attacker can exploit this vulnerability by sending a GET request to any WordPress admin endpoint (e.g., \u002Fwp-admin\u002Fadmin-ajax.php) with the following parameters: 'page' set to 'firebox-submissions', 'task' set to 'export', and 'form_id' set to the target form's ID. Because the plugin's Admin class constructor executes the export logic immediately upon initialization without checking for a valid session, capability, or nonce, the server generates and returns a CSV file containing all submissions for that form. The process terminates with an exit call before any standard authentication redirects occur, resulting in successful data extraction.","gemini-3-flash-preview","2026-06-25 22:47:32","2026-06-25 22:48:34",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.1.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffirebox\u002Ftags\u002F3.1.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffirebox.3.1.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffirebox\u002Ftags\u002F3.1.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffirebox.3.1.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffirebox\u002Ftags"]