Visual Form Builder < 3.0.7 – Admin+ Stored Cross-Site Scripting | CVE 2022-1046 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the form's 'Email to' field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Create/edit a form and put the following payload in the 'E-mail To' field: "><img src onerror=alert(/XSS/)>

The XSS will be triggered when editing the form

Affects Plugins

visual-form-builder

Fixed in 3.0.7

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Akash Rajendra Patil

Submitter

Akash Rajendra Patil

Submitter website

https://akashpatil.me

Submitter twitter

Verified

Yes

WPVDB ID

a1ae4512-0b5b-4f36-8334-14633bf24758

Timeline

Publicly Published

2022-04-07 (about 2 years ago)

Added

2022-04-07 (about 2 years ago)

Last Updated

2022-04-13 (about 2 years ago)

Other

Published

Title

Published

2022-07-06

Title

Flexi Quote Rotator <= 0.9.4 - Admin+ Stored Cross-Site Scripting

Published

2022-01-03

Title

SVG Support < 2.3.20 - Admin+ Stored Cross-Site Scripting

Published

2016-10-21

Title

Heat Trackr <= 1.0 - XSS

Published

2024-03-12

Title

Prime Slider – Addons For Elementor < 3.13.3 - Contributor+ Stored Cross-Site Scripting via Rubix Widget

Published

2014-08-01

Title

vkontakte-api - vkontakte-api/swf/tagcloud.swf tagcloud Parameter XSS