Visual Form Builder < 3.0.4 – Admin+ Stored Cross-Site Scripting | CVE 2021-24514 | Plugin Vulnerabilities

Description

The plugin does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed

Proof of Concept

Create a new Form via the plugin, fill it with any values. In the next step, change the Form name to: "/><img src onerror=alert(/XSS/)> and save the form

The XSS will be triggered when viewing the forms list (/wp-admin/admin.php?page=visual-form-builder) or when editing the related form

Affects Plugins

visual-form-builder

Fixed in 3.0.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Felipe Restrepo Rodriguez

Submitter

Felipe Restrepo Rodriguez

Submitter website

https://pfelilpe.com

Submitter twitter

Verified

Yes

WPVDB ID

0afa78d3-2403-4e0c-8f16-5b7874b03cd2

Timeline

Publicly Published

2021-09-27 (about 2 years ago)

Added

2021-09-27 (about 2 years ago)

Last Updated

2022-04-14 (about 2 years ago)

Other

Published

Title

Published

2023-04-06

Title

Product Catalog Simple < 1.7.0 - Reflected XSS

Published

2017-07-24

Title

Popup Maker <= 1.6.4 - Authenticated Cross-Site Scripting (XSS)

Published

2024-03-25

Title

Bulk NoIndex & NoFollow Toolkit < 2.10 - Reflected Cross-Site Scripting via tab, order, and orderby

Published

2024-04-25

Title

Advanced Most Recent Posts Mod <= 1.6.5.2 - Authenticated (Author+) Stored Cross-Site Scripting

Published

2021-03-17

Title

WP Page Builder < 1.2.4 - Multiple Stored Cross-Site scripting (XSS)