WordPress Plugin Vulnerabilities

Multi Step Form <= 1.2.5 - Cross-Site Scripting (XSS)

Description

The Multi Step Form WordPress plugin was affected by a Cross-Site Scripting (XSS) security vulnerability.

Affects Plugins

Plugin icon
multi-step-form
Fixed in 1.2.6

References

CVE
CVE-2018-14846
URL
https://cwatch.comodo.com/blog/website-security/vulnerability-found-in-multiple-stored-xss-form-in-wordpress-version-1-2-5/
URL
https://plugins.trac.wordpress.org/changeset?key5sk1=ed7e8ad919a00da1183b66e366c46367fc4cc26e&sfp_email=&sfph_mail=&reponame=&new=1919415%40multi-step-form&old=1917502%40multi-step-form
URL
https://github.com/mlooft/multi-step-form/commit/8a89f6deb888abb0ae679841ee96ee8332e5b5bc#diff-13d0709dedfe5ef22b22558c25b54ccf
URL
https://ansawaf.blogspot.com/2018/10/cve-2018-14846-multiple-stored-xss-in.html

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Mohammed Ansari
Submitter
Ryan Dewhurst
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
53be39a1-ae37-4d9f-8efd-ad2c6e0e5c0f

Timeline

Publicly Published
2018-10-31 (about 7 years ago)
Added
2019-01-07 (about 7 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2022-09-23
Title
FontMeister <= 1.08 - Reflected Cross-Site Scripting
Published
2010-11-01
Title
Cforms <= 13.1 - 'lib_ajax.php' Cross-Site Scripting (XSS)
Published
2025-05-07
Title
WP Discord Invite < 2.6.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-08-14
Title
CM On Demand Search And Replace < 1.5.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2022-01-24
Title
Advanced Database Cleaner < 3.0.4 - Reflected Cross-Site Scripting