WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Contact Form by WPForms < 1.5.9 - Authenticated Cross-Site Scripting (XSS)

Description

The popular WordPress plugin, WPForms, was found to be vulnerable to Authenticated Cross-Site Scripting (XSS).

The Form Description and Field Description fields in the WPForms plugin’s Form Builder module was found to be vulnerable to stored XSS, as they did not sanitize user given input properly.

Affects Plugins

wpforms-lite
Fixed in version 1.5.9

References

CVE
CVE-2020-10385
URL
https://www.jinsonvarghese.com/stored-xss-vulnerability-found-in-wpforms-plugin/
URL
https://packetstormsecurity.com/files/156874/
URL
https://www.getastra.com/blog/911/plugin-exploit/stored-xss-vulnerability-found-in-wpforms-plugin/
ExploitDB
48245

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Jinson Varghese Behanan

Submitter

Jinson Varghese Behanan

Submitter website
https://www.jinsonvarghese.com
Submitter twitter
JinsonCyberSec
Verified

No

WPVDB ID
0d5c51d8-a834-4680-9939-b6d37fd3d237

Timeline

Publicly Published

2020-03-05 (about 2 years ago)

Added

2020-03-05 (about 2 years ago)

Last Updated

2020-12-22 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin