Firebox Popups Increase Sales And Grow Your Email List
Monthly
Unauthenticated CSV export of form submission data in the FireBox Popups WordPress plugin (versions up to and including 3.1.7) exposes full personally identifiable information collected by any form on the site. The flaw lies in an unprotected endpoint that accepts a `form_id` parameter without authentication or authorization checks, allowing any remote attacker to enumerate form IDs and download complete submission records. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis, but the trivial exploitation conditions and PII exposure make this a meaningful privacy and compliance risk for affected WordPress deployments.
Unauthenticated CSV export of form submission data in the FireBox Popups WordPress plugin (versions up to and including 3.1.7) exposes full personally identifiable information collected by any form on the site. The flaw lies in an unprotected endpoint that accepts a `form_id` parameter without authentication or authorization checks, allowing any remote attacker to enumerate form IDs and download complete submission records. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis, but the trivial exploitation conditions and PII exposure make this a meaningful privacy and compliance risk for affected WordPress deployments.