WordPress Plugin Vulnerabilities

Zoho CRM Lead Magnet < 1.7.2.9 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape Form Names, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Affects Plugins

Plugin icon
zoho-crm-forms
Fixed in 1.7.2.9

References

CVE
CVE-2021-33849

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Cyber Security Works Pvt. Ltd
Verified
Yes
WPVDB ID
7cc3db47-a302-4034-b434-b75bf80e88ca

Timeline

Publicly Published
2021-09-01 (about 4 years ago)
Added
2022-03-09 (about 4 years ago)
Last Updated
2022-04-17 (about 3 years ago)

Other

Published
Title
Published
2024-05-13
Title
140+ Widgets | Best Addons For Elementor – FREE < 1.4.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Published
2025-03-31
Title
Infusionsoft Web Form JavaScript <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-01
Title
Sheet2Site <= 1.0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2014-08-01
Title
Spreadsheet - /dhtmlxspreadsheet/codebase/spreadsheet.php page Parameter Reflected XSS
Published
2023-05-11
Title
DevBuddy Twitter Feed <= 4.0.0 - Admin+ Stored XSS