Visual Form Builder < 3.0.7 – Admin+ Stored Cross-Site Scripting | CVE 2022-1046 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the form's 'Email to' field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Create/edit a form and put the following payload in the 'E-mail To' field: "><img src onerror=alert(/XSS/)>

The XSS will be triggered when editing the form

Affects Plugins

visual-form-builder

Fixed in 3.0.7

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Akash Rajendra Patil

Submitter

Akash Rajendra Patil

Submitter website

https://akashpatil.me

Submitter twitter

Verified

Yes

WPVDB ID

a1ae4512-0b5b-4f36-8334-14633bf24758

Timeline

Publicly Published

2022-04-07 (about 3 years ago)

Added

2022-04-07 (about 3 years ago)

Last Updated

2022-04-13 (about 3 years ago)

Other

Published

Title

Published

2015-06-12

Title

Yoast SEO < 2.2 - Authenticated Stored DOM XSS

Published

2020-09-09

Title

Elementor Addon Elements < 1.6.4 - CSRF & XSS

Published

2023-11-10

Title

Sponsors <= 3.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2014-08-01

Title

Meta Slider <= 2.5 - Cross-Site Scripting (XSS)

Published

2025-08-20

Title

Risk Free Cash On Delivery (COD) - WooCommerce <= 1.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting