Lucene search

[email protected]NVD:CVE-2023-0546

HistoryApr 10, 2023 - 2:15 p.m.

CVE-2023-0546

2023-04-1014:15:08

[email protected]

web.nvd.nist.gov

wordpress

security vulnerability

javascript injection

user privilege escalation

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it’s custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form.

Affected configurations

Nvd

Node

fluentformscontact_formRange<4.3.25wordpress

VendorProductVersionCPE
fluentformscontact_form*cpe:2.3:a:fluentforms:contact_form:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
fluentforms	contact_form	*	cpe:2.3:a:fluentforms:contact_form::::::wordpress::*

References

wpscan.com/vulnerability/078f33cd-0f5c-46fe-b858-2107a09c6b69