WordPress Plugin Vulnerabilities

Form Builder < 1.9.8.4 - Authenticated Stored Cross-Site Scripting

Description

The plugin does not sanitise or escape its Form Title, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed

Proof of Concept

Create a new Form via the plugin, go to Form Settings then add the following payload in the Title field: "><img src onerror=alert(1)> and save the form

The XSS will be triggered when viewing/editing the form in the admin dashboard

Affects Plugins

Plugin icon
contact-form-add
Fixed in 1.9.8.4

References

CVE
CVE-2021-24513

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Felipe Restrepo Rodriguez
Submitter
Felipe Restrepo Rodriguez
Submitter website
https://pfelilpe.com
Submitter twitter
Pfelilpe
Verified
Yes
WPVDB ID
a1dc0ea9-51dd-43c3-bfd9-c5106193aeb6

Timeline

Publicly Published
2021-08-09 (about 2 years ago)
Added
2021-08-09 (about 2 years ago)
Last Updated
2022-02-24 (about 2 years ago)

Other

Published
Title
Published
2023-07-05
Title
WP Full Stripe Free < 7.0.6 - Admin+ Stored Cross-Site Scripting
Published
2023-06-02
Title
Online Booking & Scheduling Calendar for WordPress by vcita < 4.3.1 - Unauthenticated Stored Cross-Site Scripting
Published
2020-07-12
Title
Newsletter < 6.7.7 - Authenticated Stored Cross-Site Scripting
Published
2022-10-12
Title
3com Asesor de Cookies <= 3.4.3 - Admin+ Stored XSS
Published
2023-12-27
Title
Stock Ticker < 3.23.5 - Authenticated (Contributor+) Stored Cross-Site Scritping