WordPress Forms by Pie Forms < 1.4.9.4 – Admin+ Stored Cross-Site Scripting | CVE 2022-1569 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its form fields, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed

Proof of Concept

Create/edit a form, go to the Form Settings -> General Settings and put the following payload in the "Form Name", "Form Description" and "Successful form submission message": <script>alert(/XSS/)</script>, and tick the "Enable Form Title / Name on Front End" as well as "Enable Form Description Front End" checkboxes

Save the form. The XSS will be triggered in pages/post where the form is embed, and after the form is sent

Affects Plugins

pie-forms-for-wp

Fixed in 1.4.9.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Hitesh Kumar

Submitter

Hitesh Kumar

Submitter website

https://grey-fish.github.io

Verified

Yes

WPVDB ID

5a2756c1-9abf-4fd6-8ce2-9f840514dfcc

Timeline

Publicly Published

2022-05-12 (about 3 years ago)

Added

2022-05-12 (about 3 years ago)

Last Updated

2022-05-12 (about 3 years ago)

Other

Published

Title

Published

2022-02-17

Title

Profile Builder < 3.6.2 - Reflected Cross-Site Scripting

Published

2024-02-13

Title

Starbox < 3.5.0 - Contributor+ Stored XSS

Published

2024-11-22

Title

Memberlite Shortcodes < 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via memberlite_accordion Shortcode

Published

2025-04-15

Title

WooMS <= 9.12 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

Bookings <= 1.8.2 - controlpanel.php error Parameter XSS