Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Easy Form Builder plugin for WordPress allows unauthorized data access
CVE-2025-14067
Summary
The Easy Form Builder plugin for WordPress contains a security flaw that lets attackers access sensitive user data, such as form responses and personal info, even if they don't have permission to do so. This affects all versions of the plugin up to 3.9.3. To fix the issue, update the plugin to a newer version or remove it if not essential to your website.
Original title
The Easy Form Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 3.9.3. This ...
Original description
The Easy Form Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive form response data, including messages, admin replies, and user information due to a logic error in the authorization check that uses AND (&&) instead of OR (||).
nvd CVSS3.1
5.3
Vulnerability type
CWE-862
Missing Authorization
- https://plugins.trac.wordpress.org/browser/easy-form-builder/tags/3.9.0/includes...
- https://plugins.trac.wordpress.org/browser/easy-form-builder/trunk/includes/admi...
- https://plugins.trac.wordpress.org/changeset/3422020
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8fe397d3-68de-4358-849...
Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026