CVE-2026-12120 Overview
The FireBox Popups – Increase Sales and Grow Your Email List plugin for WordPress contains a sensitive information exposure vulnerability affecting all versions up to and including 3.1.7. Unauthenticated attackers can abuse the form_id parameter to download a complete CSV export of every submission stored against any form. The exported data includes any personally identifiable information (PII) submitted by site visitors, such as names, email addresses, and other lead capture fields. The flaw is classified as [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor and is exploitable remotely over the network without user interaction.
Critical Impact
Unauthenticated remote attackers can exfiltrate full CSV exports of form submissions — including PII — from any WordPress site running the vulnerable plugin.
Affected Products
- FireBox Popups – Increase Sales and Grow Your Email List plugin for WordPress
- All versions up to and including 3.1.7
- Any WordPress installation with the affected plugin activated
Discovery Timeline
- 2026-06-18 - CVE-2026-12120 published to NVD
- 2026-06-18 - Last updated in NVD database
Technical Details for CVE-2026-12120
Vulnerability Analysis
The FireBox Popups plugin exposes a CSV export function that retrieves all submissions associated with a given form. The export endpoint accepts the form_id parameter from the HTTP request and returns the corresponding submission records without verifying the requester's identity or privilege level. Because there are no authentication or capability checks gating the export action, any unauthenticated visitor can iterate through form_id values and pull complete datasets.
The affected code paths reside in the plugin's admin and framework handlers, including Inc/Core/Admin/Admin.php and Inc/Framework/init.php. See the Wordfence Vulnerability Report and WordPress Firebox Changeset Overview for the upstream code references.
Root Cause
The vulnerability stems from missing authorization on the CSV export handler. The plugin does not invoke a WordPress capability check (such as current_user_can()) and does not validate a nonce before serving the export. The form_id parameter is treated as a trusted selector rather than a request that requires the caller to own or administer the targeted form.
Attack Vector
An unauthenticated attacker sends a crafted HTTP request to the vulnerable WordPress endpoint with an arbitrary form_id value. The server responds with a CSV file containing every submission row associated with that form identifier. Attackers can enumerate sequential form_id values to harvest data from every form configured on the site. No credentials, user interaction, or elevated privileges are required.
No verified public exploit code is available. Refer to the technical references for source-level details of the unauthenticated export path.
Detection Methods for CVE-2026-12120
Indicators of Compromise
- Unauthenticated HTTP requests targeting FireBox plugin export endpoints with varying form_id values from a single source IP.
- Outbound HTTP responses containing Content-Type: text/csv or Content-Disposition: attachment originating from anonymous sessions.
- Web server access logs showing rapid sequential enumeration of form_id query parameters.
- Bursts of large response payloads served to clients that never authenticated to /wp-admin/.
Detection Strategies
- Inspect WordPress access logs for requests to FireBox export actions issued without a valid wp_nonce or authentication cookie.
- Correlate unauthenticated requests with form_id parameter variation to identify enumeration patterns.
- Deploy a Web Application Firewall (WAF) rule that flags unauthenticated CSV downloads from plugin endpoints.
Monitoring Recommendations
- Monitor for anomalous CSV download volume against WordPress hosts, especially from non-administrator sessions.
- Alert on repeated 200 responses to form_id enumeration patterns observed within a short time window.
- Track installations of the FireBox Popups plugin across the estate and confirm version inventory matches patched releases.
How to Mitigate CVE-2026-12120
Immediate Actions Required
- Audit all WordPress sites for the FireBox Popups plugin and identify any instance running version 3.1.7 or earlier.
- Deactivate the plugin until a fixed release is installed if exposure to the internet cannot be restricted.
- Review existing CSV export access logs to determine whether form submissions may already have been exfiltrated.
- Notify affected users if PII exposure is confirmed, in line with applicable data breach disclosure obligations.
Patch Information
The vulnerability is present through version 3.1.7. Apply the vendor-supplied update once a fixed version is released and verify the export handler enforces authentication and capability checks. The relevant upstream changes are tracked at the WordPress Firebox Changeset Overview.
Workarounds
- Restrict access to WordPress admin and AJAX endpoints using IP allow-listing at the reverse proxy or WAF layer.
- Add a WAF rule to block unauthenticated requests carrying the FireBox export action parameter.
- Temporarily disable the FireBox Popups plugin on sites that collect sensitive form data until a patched version is verified.
- Rotate any credentials, API keys, or secrets that may have been submitted through affected forms.
# Example WAF rule (ModSecurity) blocking unauthenticated FireBox CSV exports
SecRule REQUEST_URI "@rx (?i)(firebox|fb_).*(export|csv)" \
"id:1029120,phase:2,deny,status:403,log,\
msg:'Block unauthenticated FireBox Popups CSV export (CVE-2026-12120)',\
chain"
SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
