WordPress Plugin Vulnerabilities

Torro Forms <= 1.0.16 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks

Affects Plugins

Plugin icon
torro-forms
No known fix

References

CVE
CVE-2022-36791

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Ngo Van Thien
Verified
No
WPVDB ID
6cd431b3-a8d2-462f-9c18-a8eccba1574a

Timeline

Publicly Published
2022-09-02 (about 3 years ago)
Added
2022-09-25 (about 3 years ago)
Last Updated
2022-09-25 (about 3 years ago)

Other

Published
Title
Published
2025-04-01
Title
Gutena Kit – Gutenberg Blocks and Templates <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-10-29
Title
WPAdverts – Classifieds Plugin < 2.1.7 - Unauthenticated Stored Cross-Site Scripting via adverts_add Shortcode
Published
2024-02-23
Title
ProfilePress < 4.15.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via profilepress-edit-profile Shortcode
Published
2025-05-16
Title
X Addons for Elementor < 1.0.17 - Contributor+ Stored XSS
Published
2024-03-05
Title
Social Sharing Plugin – Sassy Social Share < 3.3.59 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode