CVE-2022-0591— Formcraft3 < 3.8.28 - Unauthenticated SSRF

EPSS 87.90% · P99 Updated Feb 25, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2022-0591

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Formcraft3 < 3.8.28 - Unauthenticated SSRF

Source: NVD (National Vulnerability Database)

Vulnerability Description

The FormCraft WordPress plugin before 3.8.28 does not validate the URL parameter in the formcraft3_get AJAX action, leading to SSRF issues exploitable by unauthenticated users

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

服务端请求伪造(SSRF)

Source: NVD (National Vulnerability Database)

Vulnerability Title

WordPress plugin FormCraft 代码问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

WordPress是Wordpress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是WordPress开源的一个应用插件。 WordPress plugin FormCraft 3.8.28 之前存在代码问题漏洞，该漏洞源于插件不验证 formcraft3_get AJAX 操作中的 URL 参数。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Unknown	FormCraft	3.8.28 ~ 3.8.28	-

II. Public POCs for CVE-2022-0591

#	POC Description	Source Link	Shenlong Link
1	Automatic Mass Tool for checking vulnerability in CVE-2022-0591 - Formcraft3 < 3.8.28 - Unauthenticated SSRF	https://github.com/im-hanzou/FC3er	POC Details
2	Formcraft3 before version 3.8.2 does not validate the URL parameter in the formcraft3_get AJAX action, leading to server-side request forgery issues exploitable by unauthenticated users.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-0591.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2022-0591

请登录查看更多情报信息。

Same Patch Batch · Unknown · 2022-03-21 · 17 CVEs total

CVE-2022-0760		Simple Link Directory < 7.7.2 - Unauthenticated SQL injection
CVE-2022-0747		Infographic Maker - iList < 4.3.8 - Unauthenticated SQL Injection
CVE-2022-0739		BookingPress < 1.0.11 - Unauthenticated SQL Injection
CVE-2022-0694		Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection
CVE-2022-0687		Amelia < 1.0.46 - Manager+ RCE
CVE-2022-0681		Simple Membership < 4.1.0 - Arbitrary Transaction Deletion via CSRF
CVE-2022-0640		AP Pricing Tables Lite < 1.1.5 - Reflected Cross-Site Scripting
CVE-2022-0628		AP Mega Menu < 3.0.8 - Reflected Cross-Site Scripting
CVE-2022-0627		Amelia < 1.0.46 - Reflected Cross-Site Scripting
CVE-2022-0616		Amelia < 1.0.46 - Arbitrary Customer Deletion via CSRF
CVE-2022-0590		BulletProof Security < 5.8 - Admin+ Stored Cross-Site Scripting (XSS)
CVE-2022-0423		3D FlipBook < 1.12.1 - Subscriber+ Stored Cross-Site Scripting
CVE-2022-0364		Modern Events Calendar Lite < 6.4.0 - Contributor+ Stored Cross Site Scripting
CVE-2022-0229		miniOrange's Google Authenticator < 5.5 - Unauthenticated Arbitrary Options Deletion
CVE-2021-25019		SEO Plugin by Squirrly SEO < 11.1.12 - Reflected Cross-Site Scripting
CVE-2021-24905		Advanced Contact form 7 DB < 1.8.7 - Subscriber+ Arbitrary File Deletion

IV. Related Vulnerabilities

Same product: FormCraft

Same vendor: Unknown

Same weakness: CWE-918

V. Comments for CVE-2022-0591

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2022-0591— Formcraft3 < 3.8.28 - Unauthenticated SSRF

I. Basic Information for CVE-2022-0591

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Shenlong Deep Dive — AI Deep Analysis

Affected Products

II. Public POCs for CVE-2022-0591

III. Intelligence Information for CVE-2022-0591

Same Patch Batch · Unknown · 2022-03-21 · 17 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2022-0591

Leave a comment