WordPress Plugin Vulnerabilities

All-in-one Floating Contact Form < 2.0.4 - Authenticated Reflected Cross-Site Scripting (XSS)

Description

The plugin was vulnerable to reflected XSS on the my-sticky-elements-leads admin page.

Proof of Concept

Affects Plugins

Plugin icon
mystickyelements
Fixed in 2.0.4

References

CVE
CVE-2022-0148
URL
https://plugins.trac.wordpress.org/changeset/2654453/mystickyelements

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
37665ee1-c57f-4445-9596-df4f7d72c8cd

Timeline

Publicly Published
2022-01-10 (about 3 years ago)
Added
2022-01-10 (about 3 years ago)
Last Updated
2022-04-13 (about 3 years ago)

Other

Published
Title
Published
2024-03-25
Title
BuddyForms < 2.8.6 - Reflected Cross-Site Scripting via page
Published
2024-10-25
Title
Forms for Mailchimp by Optin Cat – Grow Your MailChimp List < 2.5.8 - Reflected Cross-Site Scripting
Published
2025-02-26
Title
Meintopf <= 0.2.1 - Reflected XSS
Published
2016-04-12
Title
MW Font Changer < 4.3 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Published
2023-12-06
Title
Shortcodes and extra features for Phlox theme < 2.15.5 - Contributor+ Stored XSS