WordPress Plugin Vulnerabilities

FormCraft - Premium WordPress Form Builder < 3.4 - Authenticated Stored XSS

Description

WordPress FormCraft Premium WordPress Form Builder versions 3.2.31 and below suffer from a persistent Cross-Site Scripting (XSS) vulnerability.

Proof of Concept

Affects Plugins

Plugin icon
formcraft3
Fixed in 3.4

References

CVE
CVE-2017-18600
URL
https://packetstormsecurity.com/files/#143498/
URL
https://formcraft-wp.com/changelog/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Submitter
8bitsec
Submitter website
http://8bitsec.io/
Submitter twitter
_8bitsec
Verified
No
WPVDB ID
aa2650ae-20e5-4293-b8f4-7df42a29af83

Timeline

Publicly Published
2017-07-26 (about 8 years ago)
Added
2017-08-02 (about 8 years ago)
Last Updated
2021-05-27 (about 4 years ago)

Other

Published
Title
Published
2022-04-12
Title
Themify - Post Type Builder Search Addon < 1.4.0 - Reflected Cross-Site Scripting
Published
2025-10-04
Title
USERCENTRICS CMP <= 1.0.9 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-05-24
Title
Pray For Me <= 1.0.4 - Unauthenticated Stored XSS
Published
2018-10-24
Title
Pie Register <= 3.0.17 - Unauthenticated Cross-Site Scripting (XSS)
Published
2025-01-22
Title
The Events Calendar < 6.9.1 - Contributor+ Stored XSS