WS Form LITE – Drag & Drop Contact Form Builder for WordPress < 1.9.245 – Reflected Cross-Site Scripting via URL | CVE 2024-10647 | Plugin Vulnerabilities

Description

The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.9.244. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

Fixed in 1.9.245

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6cab527f-bd67-4b67-8133-f085098d63dc

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Peter Thaleikis

Verified

No

WPVDB ID

edd7645e-8c19-4b1e-a9f4-018ccb38ad40

Timeline

Publicly Published

2024-11-05 (about 1 year ago)

Added

2024-11-05 (about 1 year ago)

Last Updated

2024-11-06 (about 1 year ago)

Other

Published

Title

Published

2025-08-22

Title

Sessions < 3.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-03-03

Title

Form Maker by 10Web < 1.15.30 - Admin+ Stored XSS

Published

2021-08-09

Title

WP Fusion Lite < 3.37.31 - Reflected Cross-Site Scripting (XSS)

Published

2015-07-08

Title

YOP Poll <= 5.7.3 - Reflected Cross-Site Scripting (XSS)

Published

2024-12-19

Title

aklamator-infeed <= 2.0.0 - Admin+ Stored XSS