Smart Forms < 2.6.96 – Admin+ Stored XSS | CVE 2024-1905 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. Add a new form or edit an existing form
2. In the CSS field, enter the payload `</script><script>alert(/XSS: CSS/)</script>`. In the "After Submit" section, enter the payload `<script>alert(/XSS: after submit alert /)</script>` for the "Show Alert Message".
3. View the form and then see the XSS

Affects Plugins

Fixed in 2.6.96

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

b9a448d2-4bc2-4933-8743-58c8768a619f

Timeline

Publicly Published

2024-04-08 (about 1 months ago)

Added

2024-04-08 (about 1 months ago)

Last Updated

2024-04-08 (about 1 months ago)

Other

Published

Title

Published

2019-06-25

Title

iLive <= 1.0.4 - Stored Cross-Site Scripting (XSS)

Published

2014-12-15

Title

SEO Redirection < 2.3 - Unauthenticated Stored Cross-Site Scripting (XSS)

Published

2014-08-01

Title

jammer <= 0.2 - jPlayer.swf XSS

Published

2014-10-08

Title

Google Calendar Events < 2.0.4 - XSS

Published

2023-01-17

Title

uTubeVideo Gallery < 2.0.8 - Contributor+ Stored XSS