WordPress Plugin Vulnerabilities

Wise Agent Capture Forms < 3.0 - Reflected Cross-Site Scripting

Description

The plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/WiseAgentCaptureForm.php file which allows attackers to inject arbitrary web scripts.

Affects Plugins

Plugin icon
wiseagentleadform
Fixed in 3.0

References

CVE
CVE-2021-38335
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-38335

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
p7e4
Verified
No
WPVDB ID
2d8ae903-b4a5-4d2a-aa22-2d74e2aa1f84

Timeline

Publicly Published
2021-09-09 (about 4 years ago)
Added
2021-09-10 (about 4 years ago)
Last Updated
2023-07-07 (about 2 years ago)

Other

Published
Title
Published
2024-10-09
Title
Simple Baseball Scoreboard <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-11
Title
Gutenberg Blocks and Page Layouts – Attire Blocks < 1.9.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-07-16
Title
Image Wall < 3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-03-28
Title
WP-OGP <= 1.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-06-11
Title
Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via cfs[post_content]