WordPress Plugin Vulnerabilities

Forms < 1.12.3 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin did not sanitise its input fields, leading to Stored Cross-Site scripting issues. The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the Forms "Add new" field.

Proof of Concept

Affects Plugins

Plugin icon
forms-by-made-it
Fixed in 1.12.3

References

CVE
CVE-2021-24505
URL
https://plugins.trac.wordpress.org/changeset/2558899/forms-by-made-it

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
SHUBHANGI DAWKHAR
Submitter
SHUBHANGI DAWKHAR
Verified
No
WPVDB ID
550e08ac-4c3a-4e22-8e98-bc5bfc020ca9

Timeline

Publicly Published
2021-07-03 (about 4 years ago)
Added
2021-07-06 (about 4 years ago)
Last Updated
2022-01-17 (about 3 years ago)

Other

Published
Title
Published
2024-05-22
Title
iframe < 5.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Published
2025-01-16
Title
Causes – Donation Plugin <= 1.0.01 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
Connections Business Directory <= 0.7.9.3 - Pagination URL H&ling XSS
Published
2024-11-22
Title
Ultimate Blocks < 3.2.4 - Contributor+ Stored XSS
Published
2022-08-09
Title
Social Slider Feed < 2.0.7 - Admin+ Stored XSS via Feeds