WS Form < 1.8.176 – Unauthenticated Stored Cross-Site Scripting | CVE 2022-23988 | Plugin Vulnerabilities

Description

The plugins do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission

Proof of Concept

- Created a basic contact form and publish it
- As an unauthenticated user, go the page/post where the form is embed and put the following payload in the "Your Inquiry" or in "Description" fields: "><img src onerror=alert(/XSS/)>
- The XSS will be triggered when an admin will view the related submission (eg: wp-admin/admin.php?orderby&order&page=ws-form-submit&id=1&paged=1#1)

Affects Plugins

Fixed in 1.8.176

Fixed in 1.8.176

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Felipe Restrepo Rodriguez

Submitter

Felipe Restrepo Rodriguez

Submitter website

https://www.pfelilpe.com

Submitter twitter

Verified

Yes

WPVDB ID

9d5738f9-9a2e-4878-8a03-745894420bf6

Timeline

Publicly Published

2022-01-31 (about 3 years ago)

Added

2022-01-31 (about 3 years ago)

Last Updated

2022-04-12 (about 3 years ago)

Other

Published

Title

Published

2025-01-07

Title

Sell Digital Downloads <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-03-24

Title

Fiverr.com Official Search Box <= 1.0.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2025-09-22

Title

Proof Factor – Social Proof Notifications <= 1.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2016-11-19

Title

WP Canvas - Shortcodes < 2.07 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2025-03-04

Title

Woocommerce < 9.7.1 - Shop Manager+ Stored XSS via New Product Form