cve/2022/CVE-2022-0163.md

### [CVE-2022-0163](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0163)
![](https://img.shields.io/static/v1?label=Product&message=Smart%20Forms%20%E2%80%93%20when%20you%20need%20more%20than%20just%20a%20contact%20form&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=2.6.71%3C%202.6.71%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-862%20Missing%20Authorization&color=brighgreen)

### Description

The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednao_smart_forms_entries_list AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form.

### POC

#### Reference
- https://wpscan.com/vulnerability/2b6b0731-4515-498a-82bd-d416f5885268

#### Github
No PoCs found on GitHub currently.