CVE-2026-12120
MEDIUM
NVD
CVSS Score
5.3
Severity
MEDIUM
Published
Jun 18, 2026
Vendor
unknown
Description
The FireBox Popups – Increase Sales and Grow Your Email List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.7 via the 'form_id' parameter. This makes it possible for unauthenticated attackers to extract download a full CSV export of all form submissions — including any personally identifiable information submitted by users — for any arbitrary form_id.
References
- https://plugins.trac.wordpress.org/browser/firebox/tags/3.1.6/Inc/Core/Admin/Admin.php#L156
- https://plugins.trac.wordpress.org/browser/firebox/tags/3.1.6/Inc/Core/Admin/Admin.php#L42
- https://plugins.trac.wordpress.org/browser/firebox/tags/3.1.6/Inc/Core/Plugin.php#L217
- https://plugins.trac.wordpress.org/browser/firebox/tags/3.1.6/Inc/Framework/init.php#L254
- https://plugins.trac.wordpress.org/browser/firebox/tags/3.1.7/Inc/Core/Admin/Admin.php#L156