CRM Perks Forms < 1.1.2 – Admin+ Stored Cross-Site Scripting | CVE 2023-2836

Description

The plugin does not sanitize and escape the form_id field in the plugin settings page, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).

Proof of Concept

https://example.com/wp-admin/admin.php?page=cfx-form&form_id=66%3F"onmouseover=alert(1)//

Affects Plugins

crm-perks-forms

Fixed in 1.1.2

References

CVE

CVE-2023-2836

URL

https://github.com/Don-H50/wp-vul/blob/main/CPF-xss-exploit.md

Miscellaneous

Original Researcher

Dongzhu Li

Verified

WPVDB ID

fcc8da17-bc08-4543-a3b5-126bab113d36

Timeline

Publicly Published

2023-05-30 (about 2 years ago)

Added

2023-05-31 (about 2 years ago)

Last Updated

2023-05-31 (about 2 years ago)

Other

Published

Title

Published

2020-02-05

Title

Events Manager < 5.9.7.2 - CSV Injection

Published

2014-09-30

Title

BulletProof Security < .52.5 - Script Insertion

Published

2014-08-01

Title

Easy Contact Forms Export 1.1.0 - Information Disclosure

Published

2017-01-11

Title

WordPress <= 4.7 - Post via Email Checks mail.example.com by Default

Published

2021-11-10

Title

WordPress < 5.8.2 - Expired DST Root CA X3 Certificate