WordPress Plugin Vulnerabilities

ARForms Form Builder < 1.7.2 - HTML Injection

Description

The Contact Form, Survey, Quiz & Popup Form Builder – ARForms plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 1.7.1. This is due to the plugin not properly sanitizing and escaping data. This makes it possible for unauthenticated attackers to inject HTML elements.

Affects Plugins

Plugin icon
arforms-form-builder
Fixed in 1.7.2

References

CVE
CVE-2024-54223
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7f800bc0-5b1b-43fa-a267-d8db444d0c2c

Classification

Type
CROSS FRAME SCRIPTING
OWASP top 10
A1: Injection
CWE
CWE-80
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Pritam Dash
Verified
No
WPVDB ID
6da70132-7ab8-46cb-b2ca-977e75965f13

Timeline

Publicly Published
2024-12-05 (about 1 year ago)
Added
2024-12-12 (about 1 year ago)
Last Updated
2024-12-12 (about 1 year ago)

Other

Published
Title
Published
2026-01-06
Title
Responsive Pricing Table < 5.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'table_currency'
Published
2024-04-29
Title
All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic < 4.6.1.1 - Contributor+ Stored Cross-Site Scripting via Shortcode
Published
2024-03-06
Title
Database for Contact Form 7, WPforms, Elementor forms < 1.3.4 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Published
2024-03-27
Title
GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress < 6.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-04-15
Title
Exclusive Addons for Elementor < 2.6.9.3 - Authenticated(Contributor+) Stored Cross-Site Scripting via Post Grid