WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

weForms < 1.6.14 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

On the dashboard navigate to weForms > All Forms > Add Form > Choose Contact Form;
Click Create Form >  Settings
Inject with cross-site scripting (xss) payload: <img src=x onerror=alert(document.cookie);> on Message to Show form.
Save Form
On the post/page containing the form, fill up the contact form and submit it to trigger the payload

Affects Plugins

weforms
Fixed in version 1.6.14

References

CVE
CVE-2022-2395

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Tri Wanda Septian

Submitter

Tri Wanda Septian

Submitter website
https://twseptian.github.io/
Submitter twitter
twseptian_
Verified

Yes

WPVDB ID
5e442dd9-a49d-4a8e-959b-199a8689da4b

Timeline

Publicly Published

2022-07-12 (about 6 months ago)

Added

2022-07-12 (about 6 months ago)

Last Updated

2022-07-12 (about 6 months ago)

Our Other Services

WPScan WordPress Security Plugin