WordPress Plugin Vulnerabilities

Zoho CRM Lead Magnet Plugin - Authenticated Cross Site Scripting (XSS)

Description

The version affected was version 1.6.9.1

The plugin was removed from the WordPress plugin directory on October 15th 2019.

Affects Plugins

Plugin icon
zoho-crm-forms
Fixed in 1.6.9.2

References

CVE
CVE-2019-19306
URL
https://github.com/cybersecurityworks/Disclosed/issues/16

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Saran Baskar from Cyber Security Works Research Lab
Verified
No
WPVDB ID
b62ec692-bd06-485c-9742-0facba6219f3

Timeline

Publicly Published
2019-10-15 (about 6 years ago)
Added
2019-10-17 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2023-08-29
Title
Email Encoder < 2.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-08-16
Title
Admission AppManager <= 1.0.0 - Reflected Cross-Site Scripting
Published
2025-01-23
Title
ProfilePress < 4.15.20 - Admin+ Stored XSS
Published
2024-06-21
Title
Sketchfab Embed <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2016-07-13
Title
Master Slider < 2.8.0 - Reflected Cross-Site Scripting (XSS)