Exploitation Summary
CVE-2022-0140 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint.
Nuclei Templates (1)
WordPress Visual Form Builder <3.0.8 - Information Disclosure
MEDIUMby random-robbie
References (2)
Core 2
Core References
Exploit, Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336
Third Party Advisory
https://www.fortiguard.com/zeroday/FG-VD-21-082
Scores
CVSS v3
5.3
EPSS
0.0377
EPSS Percentile
88.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-306
Status
published
Products (1)
vfbpro/visual_form_builder
< 3.0.6
Published
Apr 12, 2022
Tracked Since
Feb 18, 2026