Cross site scripting

2023-06-0702:15:00

PRIOn knowledge base

www.prio-n.com

cross site scripting

flo forms

wordpress

stored

vulnerable

insufficient input sanitization

missing capability checks

options change

ajax action

authenticated attackers

subscribers

arbitrary web scripts

0.001 Low

EPSS

Percentile

36.6%

JSON

The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Options Change by using the flo_import_forms_options AJAX action in versions up to, and including, 1.0.35 due to insufficient input sanitization and output escaping along with missing capability checks. This makes it possible for authenticated attackers, like subscribers, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CPENameOperatorVersion
flo_formsle1.0.35

CPE	Name	Operator	Version
	flo_forms	le	1.0.35

References

blog.nintechnet.com/zero-day-vulnerability-fixed-in-wordpress-flo-forms-plugin/

wpscan.com/vulnerability/b4a83501-c727-4c9b-a9a1-46b399ab0caa

www.wordfence.com/threat-intel/vulnerabilities/id/a175e103-ab89-404b-8736-94d0d93d6cf3?source=cve

0.001 Low

EPSS

Percentile

36.6%

JSON

Related for PRION:CVE-2021-4367