Easy Form Builder
Moderate fix1 remedy
cpe:2.3:a:whitestudio:easy_form_builder:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 3.9.3
Easy Form Builder WordPress Plugin Missing Authorization Vulnerability Allows Data Exposure
Vulnerability
Patched
A vulnerability exists in the Easy Form Builder plugin for WordPress, in all versions through 3.9.3. The issue stems from a missing capability check on several AJAX actions, which allows authenticated users with Subscriber-level access and above to access sensitive form response data. This includes messages, admin replies, and user information. The vulnerability arises from a logic error in the authorization check, which incorrectly uses AND instead of OR.
Impact
The vulnerability could lead to unauthorized access to sensitive form response data, including personal user information, messages, and admin replies, for authenticated users with Subscriber-level access.
Reproduction
The vulnerability can be reproduced by an authenticated user with Subscriber-level access. The user can send a request to one of the affected AJAX actions that lack proper authorization checks. The response will include sensitive form data that should not be accessible to them.
Remediation
Users are advised to update the Easy Form Builder plugin to version 3.9.4 or later, where this vulnerability has been patched.
Added: Feb 14, 2026, 4:39 AM
Updated: Feb 14, 2026, 4:39 AM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
2.5exploitability
6.4remediation
7.7relevance
3.0threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.