WordPress Plugin Vulnerabilities

Contact Form by WPForms < 1.5.9 - Authenticated Cross-Site Scripting (XSS)

Description

The popular WordPress plugin, WPForms, was found to be vulnerable to Authenticated Cross-Site Scripting (XSS).

The Form Description and Field Description fields in the WPForms plugin’s Form Builder module was found to be vulnerable to stored XSS, as they did not sanitize user given input properly.

Affects Plugins

Plugin icon
wpforms-lite
Fixed in 1.5.9

References

CVE
CVE-2020-10385
Exploitdb
48245
URL
https://packetstormsecurity.com/files/#156874/
URL
https://www.jinsonvarghese.com/stored-xss-vulnerability-found-in-wpforms-plugin/
URL
https://www.getastra.com/blog/911/plugin-exploit/stored-xss-vulnerability-found-in-wpforms-plugin/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Jinson Varghese Behanan
Submitter
Jinson Varghese Behanan
Submitter website
https://www.jinsonvarghese.com
Submitter twitter
JinsonCyberSec
Verified
No
WPVDB ID
0d5c51d8-a834-4680-9939-b6d37fd3d237

Timeline

Publicly Published
2020-03-05 (about 5 years ago)
Added
2020-03-05 (about 5 years ago)
Last Updated
2020-12-22 (about 5 years ago)

Other

Published
Title
Published
2024-11-22
Title
Image Widget < 4.4.11 - Admin+ Stored XSS
Published
2024-08-08
Title
CoBlocks < 3.1.13 - Editor+ Stored XSS
Published
2017-10-12
Title
PopCash.Net Code Integration Tool <= 1.0 - Cross-Site Scripting (XSS)
Published
2025-04-01
Title
Piotnet Forms <= 1.0.30 - Authenticated (Author+) Stored Cross-Site Scripting
Published
2023-01-05
Title
CPO Companion < 1.1.0 - Admin+ Stored XSS