Lucene search
Bob MatyasWPEX-ID:B9A448D2-4BC2-4933-8743-58C8768A619FHistoryApr 08, 2024 - 12:00 a.m.
Smart Forms < 2.6.96 - Admin+ Stored XSS
2024-04-0800:00:00
Bob Matyas
13
smart forms
vulnerability
stored xss
poc
april 22 2024
update required
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
1. Add a new form or edit an existing form
2. In the CSS field, enter the payload `</script><script>alert(/XSS: CSS/)</script>`. In the "After Submit" section, enter the payload `<script>alert(/XSS: after submit alert /)</script>` for the "Show Alert Message".
3. View the form and then see the XSSRelated
wpvulndb
wpvulndb
Smart Forms < 2.6.96 - Admin+ Stored XSS
2024-04-08 00:00:00
cve
cve
CVE-2024-1905
2024-04-29 06:15:07
cvelist
cvelist
CVE-2024-1905 Smart Forms < 2.6.96 - Admin+ Stored XSS
2024-04-29 06:00:01
wordfence
wordfence
5.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
8.7%
Related for WPEX-ID:B9A448D2-4BC2-4933-8743-58C8768A619F