Version 1.9.3.3 is now live for both Advanced Forms and Advanced Forms Pro. This is a small security release and we recommend everyone update to this version.
Form export security enhancements
This release adds some capability and nonce checks to the form JSON export routine to prevent unauthorized export of form structural JSON data. It was discovered that an attacker could utilise the admin-post.php endpoint with the right combination of arguments and a form ID to export the JSON file containing a form’s structure.
Note, form submissions and data submitted via a form were not affected by this vulnerability.
Thanks to the Wordfence team for discovering and reporting this vulnerability on February 2nd and providing a thorough explanation and suggestions.
Changelog
- Added capability and nonce checks to prevent unauthorized export of form JSON
