WordPress Plugin Vulnerabilities

Arforms < 6.4.1 - Reflected XSS

Description

The plugin does not properly escape user-controlled input when it is reflected in some of its AJAX actions.

Proof of Concept

Affects Plugins

Plugin icon
arforms
Fixed in 6.4.1

References

CVE
CVE-2024-0427

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
mgthuramoemyint
Submitter
mgthuramoemyint
Submitter twitter
mgthuramoemyint
Verified
Yes
WPVDB ID
1806fef3-d774-46e0-aa48-7a101495f4eb

Timeline

Publicly Published
2024-05-22 (about 1 year ago)
Added
2024-05-22 (about 1 year ago)
Last Updated
2024-05-22 (about 1 year ago)

Other

Published
Title
Published
2023-12-22
Title
Sensei LMS < 4.18.0 - Contributor+ Stored XSS
Published
2025-02-24
Title
Contact Form 7 Star Rating with font Awesome <= 1.3 - Authenticated (Editor+) Stored Cross-Site Scripting
Published
2024-04-26
Title
Filterable Portfolio <= 1.6.4 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2021-05-17
Title
Smooth Scroll Page Up/Down Buttons < 1.4 - Authenticated Stored XSS
Published
2024-04-16
Title
Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics < 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting