PDF Generator For Fluent Forms < 1.1.8 – Cross-Site Scripting | CVE 2023-6953 | Plugin Vulnerabilities

Description

The PDF Generator For Fluent Forms – The Contact Form Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the header, PDF body and footer content parameters in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The exploitation level depends on who is granted the right to create forms by an administrator. This level can be as low as contributor, but by default is admin.

Affects Plugins

fluentforms-pdf

Fixed in 1.1.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b6675c48-43d4-4394-a4a3-f753bdaa5c4e

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

drop

Verified

No

WPVDB ID

8d0121f6-0ccf-4bb5-ad32-d2ddde0844c9

Timeline

Publicly Published

2024-01-22 (about 2 years ago)

Added

2024-01-22 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2026-02-18

Title

Apollo13 Framework Extension < 1.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via `a13_alt_link` Parameter

Published

2024-12-20

Title

MagicPost < 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wb_share_social Shortcode

Published

2024-06-20

Title

Elegant Themes Icons <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2026-04-21

Title

WPMK Block <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Published

2023-04-17

Title

Sloth Logo Customizer <= 2.0.2 - Stored XSS via CSRF