CRM Perks Forms < 1.1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting | CVE 2023-51536 | Plugin Vulnerabilities

Description

The CRM Perks Forms – WordPress Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on the label field. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

crm-perks-forms

Fixed in 1.1.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ca954d68-18a5-47e2-af56-261c7a55b017

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ngô Thiên An (ancorn_)

Verified

No

WPVDB ID

bf9cbc41-bf11-410c-b2d6-27d407755ed1

Timeline

Publicly Published

2023-12-27 (about 2 years ago)

Added

2024-01-05 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2017-02-20

Title

AnyVar 0.1.1 - Stored Cross-Site Scripting (XSS)

Published

2022-01-31

Title

WS Form < 1.8.176 - Unauthenticated Stored Cross-Site Scripting

Published

2019-03-13

Title

WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)

Published

2019-09-16

Title

InJob < 3.3.8 - Reflected & Persistent XSS

Published

2024-02-20

Title

Beaver Builder < 2.7.4.3 - Reflected XSS