[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fasBPDRW1DekaYs2x1sVPU64oew97APy60uiSAP1QbBA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-25320","formsdb-save-elementor-forms-to-google-sheets-post-type-missing-authorization","FormsDB – Save Elementor Forms to Google Sheets & Post Type \u003C= 2.1.3 - Missing Authorization","The FormsDB – Save Elementor Forms to Google Sheets & Post Type plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.1.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.","sb-elementor-contact-form-db",null,"\u003C=2.1.3","2.1.4","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-28 00:00:00","2026-05-04 15:24:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3cbd58da-3d72-4b8c-add9-c38afc6fa3d0?source=api-prod",97,[22,23,24],"includes\u002Flib-helpers\u002Fclass-fdbgp-google-api-functions.php","readme.txt","sb_elementor_contact_form_db.php","researched",false,3,"# Exploitation Research Plan - FormsDB (CVE-2026-25320)\n\n## 1. Vulnerability Summary\nThe **FormsDB – Save Elementor Forms to Google Sheets & Post Type** plugin (version \u003C= 2.1.3) is vulnerable to **Missing Authorization**. Specifically, several administrative AJAX functions registered in the `FDBGP_Loader` class (and associated helper classes) lack proper capability checks (e.g., `current_user_can( 'manage_options' )`). This allows unauthenticated attackers to perform unauthorized actions, such as disconnecting Google API services, modifying plugin settings, or potentially exposing form submission data.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Actions**: The vulnerability likely affects multiple AJAX actions. Based on the plugin's functionality (handling Google Sheets and form submissions), the primary candidates for unauthorized access are:\n    - `fdbgp_disconnect_google_api` (Disconnects the Google account)\n    - `fdb_get_gsheet_list` (Lists Google Sheets from the connected account)\n    - `fdb_get_gsheet_tabs` (Lists tabs within a spreadsheet)\n    - `sb_fdb_export_sub` or `fdb_export_submissions` (Exports form entries)\n- **Authentication**: Unauthenticated (the actions are likely registered via both `wp_ajax_` and `wp_ajax_nopriv_` hooks without capability","The FormsDB plugin for WordPress is vulnerable to unauthorized access and CSRF because it lacks capability checks on several AJAX actions and fails to implement state\u002Fnonce verification during the Google OAuth callback process. This allows unauthenticated attackers to disconnect Google API services, modify plugin settings, or manipulate the authentication flow.","\u002F\u002F sb_elementor_contact_form_db.php\npublic function setting_redirect(){\n    \u002F\u002F Handle OAuth callback\n    if ( ! is_user_logged_in() || ! current_user_can('manage_options') ) {\n        return;\n    }\n\n    \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Recommended\n    if(!isset($_GET['page'])){\n        return;\n    }\n\n    \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Recommended\n    $code = isset($_GET['code']) && !empty($_GET['code']) ? sanitize_text_field(wp_unslash($_GET['code'])) : '';\n    \n    if(!empty($code)){\n        \u002F\u002F ... (truncated: saves code to settings without verifying state\u002Fnonce)\n    }\n}\n\n---\n\n\u002F\u002F includes\u002Flib-helpers\u002Fclass-fdbgp-google-api-functions.php ~ line 170\n\u002F\u002F The OAuth client creation does not set a state (CSRF token) for verification\ntry {\n    if ( empty( $auth_token ) ) {\n        $auth_url = $client->createAuthUrl();\n        return $auth_url;\n    }\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsb-elementor-contact-form-db\u002F2.1.3\u002Fincludes\u002Flib-helpers\u002Fclass-fdbgp-google-api-functions.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsb-elementor-contact-form-db\u002F2.1.4\u002Fincludes\u002Flib-helpers\u002Fclass-fdbgp-google-api-functions.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsb-elementor-contact-form-db\u002F2.1.3\u002Fincludes\u002Flib-helpers\u002Fclass-fdbgp-google-api-functions.php\t2025-12-30 06:17:46.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsb-elementor-contact-form-db\u002F2.1.4\u002Fincludes\u002Flib-helpers\u002Fclass-fdbgp-google-api-functions.php\t2026-01-29 10:27:56.000000000 +0000\n@@ -170,6 +170,8 @@\n \t\t\u002F\u002F Load previously authorized credentials from a database.\n \t\ttry {\n \t\t\tif ( empty( $auth_token ) ) {\n+\t\t\t\t$state = wp_create_nonce( 'fdbgp_google_oauth' );\n+\t\t\t\t$client->setState( $state );\n \t\t\t\t$auth_url = $client->createAuthUrl();\n \t\t\t\treturn $auth_url;\n \t\t\t}\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsb-elementor-contact-form-db\u002F2.1.3\u002Fsb_elementor_contact_form_db.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsb-elementor-contact-form-db\u002F2.1.4\u002Fsb_elementor_contact_form_db.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsb-elementor-contact-form-db\u002F2.1.3\u002Fsb_elementor_contact_form_db.php\t2026-01-23 09:16:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsb-elementor-contact-form-db\u002F2.1.4\u002Fsb_elementor_contact_form_db.php\t2026-01-29 10:27:56.000000000 +0000\n@@ -65,7 +65,7 @@\n \t\t\t}\n \n \t\t\tadd_action( 'plugins_loaded', array( $this, 'FDBGP_plugins_loaded' ) );\n-\t\t\tadd_action( 'plugins_loaded', array( $this, 'setting_redirect' ));\n+\t\t\tadd_action( 'admin_init', array( $this, 'setting_redirect' ));\n \t\t\tadd_filter( 'plugin_row_meta', array( $this, 'fdbgp_plugin_row_meta' ), 10, 2 );\n \t\t\tadd_action( 'activated_plugin', array( $this, 'fdbgp_plugin_redirection' ) );\n \n@@ -119,7 +119,14 @@\n \t\t\t}\n \n \t\t\t\u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Recommended\n-\t\t\tif(!isset($_GET['page'])){\n+\t\t\tif(!isset($_GET['page']) || 'formsdb' !== sanitize_text_field(wp_unslash($_GET['page']))){\n+\t\t\t\treturn;\n+\t\t\t}\n+\n+\t\t\t\u002F\u002F Verify state (nonce) returned from Google\n+\t\t\t\u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Recommended\n+\t\t\t$state = isset($_GET['state']) ? sanitize_text_field(wp_unslash($_GET['state'])) : '';\n+\t\t\tif ( empty($state) || ! wp_verify_nonce($state, 'fdbgp_google_oauth') ) {\n \t\t\t\treturn;\n \t\t\t}","1. **AJAX Unauthorized Action**: An attacker sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with an `action` parameter set to administrative functions such as `fdbgp_disconnect_google_api` or `fdb_get_gsheet_list`. Because these actions are registered via `wp_ajax_nopriv_` (or lack capability checks in the handler), the plugin executes the logic even for unauthenticated users.\n2. **OAuth CSRF\u002FState Manipulation**: An attacker can initiate a Google OAuth callback to `\u002Fwp-admin\u002Fadmin.php?page=formsdb&code=[EXPLOIT_CODE]` without providing a valid `state` parameter. In versions \u003C= 2.1.3, the plugin processes the `code` and updates the `fdbgp_google_settings` option without verifying that the request originated from a legitimate administrative session, allowing an attacker to force-connect the plugin to their own Google account.","gemini-3-flash-preview","2026-05-04 21:28:17","2026-05-04 21:29:09",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","2.1.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsb-elementor-contact-form-db\u002Ftags\u002F2.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsb-elementor-contact-form-db.2.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsb-elementor-contact-form-db\u002Ftags\u002F2.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsb-elementor-contact-form-db.2.1.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsb-elementor-contact-form-db\u002Ftags"]