WordPress Forms by Pie Forms < 1.4.9.4 – Admin+ Stored Cross-Site Scripting | CVE 2022-1569 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its form fields, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed

Proof of Concept

Create/edit a form, go to the Form Settings -> General Settings and put the following payload in the "Form Name", "Form Description" and "Successful form submission message": <script>alert(/XSS/)</script>, and tick the "Enable Form Title / Name on Front End" as well as "Enable Form Description Front End" checkboxes

Save the form. The XSS will be triggered in pages/post where the form is embed, and after the form is sent

Affects Plugins

pie-forms-for-wp

Fixed in 1.4.9.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Hitesh Kumar

Submitter

Hitesh Kumar

Submitter website

https://grey-fish.github.io

Verified

Yes

WPVDB ID

5a2756c1-9abf-4fd6-8ce2-9f840514dfcc

Timeline

Publicly Published

2022-05-12 (about 2 years ago)

Added

2022-05-12 (about 2 years ago)

Last Updated

2022-05-12 (about 2 years ago)

Other

Published

Title

Published

2020-02-03

Title

Ninja Forms < 3.4.23 - CSRF to Stored Cross-Site Scripting (XSS)

Published

2019-10-16

Title

Events Manager < 5.9.6 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2024-03-29

Title

Ultimate Addons for Beaver Builder – Lite < 1.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Icons Widget

Published

2022-11-16

Title

Image Hover Effects < 5.5 - Admin+ Stored XSS

Published

2021-05-17

Title

Funnel Builder by CartFlows < 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID