Contact Form & Lead Form Elementor Builder < 1.7.0 – Multiple Admin+ Stored Cross-Site Scripting | CVE 2022-23179 | Plugin Vulnerabilities

Description

The plugin does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Create/Edit a form and put the following payload in a Filed Name or Default Value; "style=animation-name:rotation onanimationstart=alert(/XSS/)// yo="

Affects Plugins

lead-form-builder

Fixed in 1.7.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Yoru Oni

Submitter

Yoru Oni

Submitter website

https://profiles.wordpress.org/yoruoni/

Verified

Yes

WPVDB ID

90b8af99-e4a1-4076-99fa-efe805dd4be4

Timeline

Publicly Published

2022-01-05 (about 4 years ago)

Added

2022-02-01 (about 3 years ago)

Last Updated

2022-04-13 (about 3 years ago)

Other

Published

Title

Published

2021-07-31

Title

WP Dialog <= 1.2.5.5 - Authenticated Stored Cross-Site Scripting

Published

2025-05-07

Title

Ajax Load More < 7.3.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-03-28

Title

Text Hover < 4.2 - Admin+ Stored Cross-Site Scripting

Published

2024-11-11

Title

Master Addons for Elementor < 2.1.0 - Author+ Stored XSS

Published

2025-07-07

Title

Media Folder <= 1.0.0 - Reflected Cross-Site Scripting