HTML Forms < 1.3.33 – Admin+ Stored XSS | CVE 2024-6243 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape the form message inputs, allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disabled.

Proof of Concept

Add this success message in the Messages section of the form, so when a user submits the form and hovers over the 'Thank you!' message, the JavaScript code will be executed:

<a onmouseover="alert(document.cookie)" href="#">Thank you !</a>

Affects Plugins

Fixed in 1.3.33

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Majdeddine Ben Hadj Brahim

Submitter

Majdeddine Ben Hadj Brahim

Verified

Yes

WPVDB ID

f4097877-ba19-4738-a994-9593b9a5a635

Timeline

Publicly Published

2024-07-01 (about 1 year ago)

Added

2024-07-01 (about 1 year ago)

Last Updated

2024-07-01 (about 1 year ago)

Other

Published

Title

Published

2020-08-17

Title

Easy Media Download < 1.1.5 - Authenticated Stored Cross-Site Scripting

Published

2025-01-16

Title

Formatted post <= 1.01 - Reflected Cross-Site Scripting

Published

2024-05-30

Title

Just Writing Statistics < 4.6 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2023-04-05

Title

Weaver Xtreme Theme < 6.2 - Contributor+ Stored Cross-Site Scripting

Published

2023-11-15

Title

Daily Prayer Time < 2023.10.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode