Form export security enhancements
This release adds some capability and nonce checks to the form JSON export routine to prevent unauthorized export of form structural JSON data. It was discovered that an attacker could utilise the
admin-post.php endpoint with the right combination of arguments and a form ID to export the JSON file containing a form’s structure.
Note, form submissions and data submitted via a form were not affected by this vulnerability.
Thanks to the Wordfence team for discovering and reporting this vulnerability on February 2nd and providing a thorough explanation and suggestions.
- Added capability and nonce checks to prevent unauthorized export of form JSON