ARForms Builder < 1.7.1 – Unauthenticated Stored XSS | CVE 2024-10504 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks.

Proof of Concept

1. Add a new form
2. Add an "Image URL" field
3. Save the form and add the shortcode to a new post/page
4. As an unauthenticated user, add the payload `test" height="50px" alt="/" onerror="alert('Malek66S')"` to the Image URL field and submit
5. As an admin, view the submission and see the XSS Alert

Affects Plugins

arforms-form-builder

Fixed in 1.7.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Malek Althubiany

Submitter

Malek Althubiany

Submitter website

https://www.linkedin.com/in/malekalthubiany

Verified

Yes

WPVDB ID

9a22df11-0e24-4248-a8f3-da8f23ccb313

Timeline

Publicly Published

2024-09-23 (about 1 year ago)

Added

2025-01-06 (about 11 months ago)

Last Updated

2025-01-06 (about 11 months ago)

Other

Published

Title

Published

2021-08-02

Title

VDZ Google Analytics or Google Tag Manager / GTM < 1.6.0 - Authenticated Stored XSS

Published

2025-03-19

Title

CG Button <= 1.0.5.6 - Reflected Cross-Site Scripting

Published

2025-08-26

Title

Theme Blvd Widget Areas <= 1.3.0 - Reflected Cross-Site Scripting

Published

2022-12-19

Title

WP Recipe Maker < 8.6.1 - Contributor+ Stored XSS

Published

2021-05-05

Title

Target First Plugin 2.0 - Unauthenticated Stored XSS via Licence Key