FireBox Popups <= 3.1.7 - Unauthenticated Sensitive Information Exposure in 'form_id' Parameter
Description
The FireBox Popups – Increase Sales and Grow Your Email List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.7 via the 'form_id' parameter. This makes it possible for unauthenticated attackers to extract download a full CSV export of all form submissions — including any personally identifiable information submitted by users — for any arbitrary form_id.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=3.1.7
Patches
Vulnerability mechanics
Root cause
"Missing authentication and authorization checks in the form submission export handler allow unauthenticated attackers to export any form's submissions as a CSV file."
Attack vector
An unauthenticated attacker can send a crafted HTTP request to the WordPress admin area with a `form_id` parameter set to any valid form identifier. The `maybeExportSubmissions()` method in the Admin class processes this parameter without verifying user capabilities or a nonce, queries the database for all submissions matching that form ID, and streams a CSV file containing all submitted data — including personally identifiable information (PII) — directly to the attacker. No authentication or prior interaction is required, making this a trivial data exfiltration vector.
Affected code
The vulnerability resides in the `maybeExportSubmissions()` method within `Inc/Core/Admin/Admin.php` (line 42 in version 3.1.6). This method is called from the constructor and directly uses the user-supplied `form_id` parameter to query and export form submissions without any capability or nonce check, allowing unauthenticated access to the CSV export functionality.
What the fix does
The advisory does not include a published patch, but the root cause is clear: the `maybeExportSubmissions()` method lacks any capability check (e.g., `current_user_can()`) or nonce verification before exporting submissions. A proper fix would require verifying that the requesting user has the appropriate administrative capability (such as `manage_options`) and validating a nonce before processing the export. Until a patch is applied, the plugin remains vulnerable to unauthenticated data exfiltration.
Preconditions
- inputThe attacker must know or guess a valid form_id that exists in the plugin's submission database.
- networkThe attacker must be able to reach the WordPress admin AJAX endpoint or admin page where the export handler is registered.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- plugins.trac.wordpress.org/browser/firebox/tags/3.1.6/Inc/Core/Admin/Admin.phpmitre
- plugins.trac.wordpress.org/browser/firebox/tags/3.1.6/Inc/Core/Admin/Admin.phpmitre
- plugins.trac.wordpress.org/browser/firebox/tags/3.1.6/Inc/Core/Plugin.phpmitre
- plugins.trac.wordpress.org/browser/firebox/tags/3.1.6/Inc/Framework/init.phpmitre
- plugins.trac.wordpress.org/browser/firebox/tags/3.1.7/Inc/Core/Admin/Admin.phpmitre
- plugins.trac.wordpress.org/browser/firebox/tags/3.1.7/Inc/Core/Admin/Admin.phpmitre
- plugins.trac.wordpress.org/browser/firebox/tags/3.1.7/Inc/Core/Plugin.phpmitre
- plugins.trac.wordpress.org/browser/firebox/tags/3.1.7/Inc/Framework/init.phpmitre
- plugins.trac.wordpress.org/changesetmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/54f939f9-2853-401a-adc0-5b727da5179bmitre
News mentions
0No linked articles in our index yet.