Form Maker < 1.13.60 – Authenticated Stored XSS | CVE 2021-24526 | Plugin Vulnerabilities

Description

The plugin does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue

Proof of Concept

Create or edit a form and add the following payload in the Form Title field "autofocus onmouseover=alert(/XSS/)// save it and move the mouse over the Title field

Edit (WPScanTeam): better payload (no interaction needed other than editing the affected Form): " style="animation-name:rotation" onanimationstart="alert(/XSS/)//

Affects Plugins

Fixed in 1.13.60

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Felipe Restrepo Rodriguez

Submitter

Felipe Restrepo Rodriguez

Submitter website

https://pfelilpe.com

Submitter twitter

Verified

Yes

WPVDB ID

17287d8a-ba27-42dc-9370-a931ef404995

Timeline

Publicly Published

2021-07-15 (about 2 years ago)

Added

2021-07-15 (about 2 years ago)

Last Updated

2021-07-30 (about 2 years ago)

Other

Published

Title

Published

2021-09-06

Title

CM Tooltip Glossary < 3.9.21 - Contributor+ Stored Cross-Site Scripting

Published

2014-08-01

Title

Form Maker 1.6.4 - front_end_form_maker.php Unspecified XSS

Published

2014-08-01

Title

All in One SEO Pack <= 2.1.5 - aioseop_functions.php new_meta Parameter XSS

Published

2023-07-12

Title

MF Gig Calendar < 1.2.1 - Contributor+ Stored Cross-Site Scripting

Published

2022-12-20

Title

Download Manager < 3.2.62 - Contributor+ Stored XSS