WordPress Plugin Vulnerabilities

Forms Ada <= 1.0 - Unauthenticated Reflected XSS

Description

The plugin does not sanitize and escape some of it's parameters before reflecting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admin.

Affects Plugins

Plugin icon
forms-ada-form-builder
No known fix

References

CVE
CVE-2023-27613
URL
https://patchstack.com/database/vulnerability/forms-ada-form-builder/wordpress-forms-ada-plugin-1-0-cross-site-scripting-xss-vulnerability
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/forms-ada-form-builder/forms-ada-10-reflected-cross-site-scripting-via-p-parameter

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Pavak Tiwari
Verified
No
WPVDB ID
fcc77a70-3168-4908-963d-68495eadf12e

Timeline

Publicly Published
2023-04-24 (about 3 years ago)
Added
2023-05-30 (about 2 years ago)
Last Updated
2023-05-30 (about 2 years ago)

Other

Published
Title
Published
2024-05-16
Title
Essential Blocks < 4.5.13 - Contributor+ Stored XSS
Published
2015-03-13
Title
Wpml < 3.1.9 - XSS
Published
2024-04-16
Title
Zynith SEO <= 7.4.9 - Unauthenticated Stored Cross-Site Scripting
Published
2024-11-04
Title
Daily Image <= 1.0 - Reflected Cross-Site Scripting
Published
2024-03-25
Title
ReDi Restaurant Reservation < 24.0303 - Reflected Cross-Site Scripting