WordPress Plugin Vulnerabilities

Form Builder 1.9.8.4 - Reflected Cross-Site Scripting (XSS)

Description

The plugin does not properly sanitise and escape its from_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue.

Proof of Concept

Affects Plugins

Plugin icon
contact-form-add
Fixed in 1.9.8.5

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
bf72f817-c0f3-4692-9a62-639a3b1414d5

Timeline

Publicly Published
2021-08-09 (about 4 years ago)
Added
2021-08-09 (about 4 years ago)
Last Updated
2021-08-09 (about 4 years ago)

Other

Published
Title
Published
2023-10-24
Title
CallRail Phone Call Tracking < 0.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-06-06
Title
Photo Gallery by 10Web – Mobile-Friendly Image Gallery < 1.8.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Zipped SVG
Published
2025-05-07
Title
Top 10 < 4.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-05-06
Title
WZ Followed Posts – Display what visitors are reading < 3.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-02-20
Title
Video Background < 2.7.5 - Contributor+ Stored XSS via Shortcode