482 matches found
WP Forms Puzzle Captcha <= 4.1 - Cross-Site Request Forgery to Cross-Site Scripting
Description The WP Forms Puzzle Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.1. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this functio...
VulnCheck KEV: CVE-2023-0552
The Registration Forms WordPress plugin before 3.8.2.3 does not properly validate the redirection URL when logging in and login out, leading to an Open Redirect vulnerability...
The vulnerability of the Registration Forms plugin in the WordPress content management system allows a hacker to redirect users to arbitrary websites.
The vulnerability of the Registration Forms plugin in the WordPress content management system involves redirecting URLs to an unreliable website. Exploiting this vulnerability could allow a malicious actor to redirect users to arbitrary websites...
WordPress Ninja Forms Plugin < 3.6.34 is vulnerable to Cross Site Scripting (XSS)
Software Ninja Forms Type Plugin Vulnerable versions 3.6.34 Fixed in 3.6.34 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-5530 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID a9b2d204bb4c Credits Jonathan Zamora Required...
CVE-2023-5530
The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfilteredhtml capability can perform this, and such users are already allowed to use ...
CVE-2023-5073
The iframe forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'iframe' shortcode in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and...
WordPress Quill Forms Plugin <= 3.3.0 is vulnerable to Broken Access Control
Software Quill Forms Type Plugin Vulnerable versions = 3.3.0 Fixed in 3.4.0 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2023-46610 Patch priority High CVSS severity High 6.5 Developer Claim ownership PSID f234d1eb3578 Credits Abdi Pranata Required privilege...
CVE-2023-4109
The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability...
CVE-2023-0439
The NEX-Forms WordPress plugin before 8.4.4 does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins in multisite / admins in single site can create forms, however there is a settings allowing them to give lower roles access to such featur...
PT-2023-16270 · WordPress · Nex-Forms
Name of the Vulnerable Software and Affected Versions: NEX-Forms WordPress plugin versions prior to 8.4.4 Description: The issue is related to Stored Cross-Site Scripting, which could be caused by the lack of proper escaping of the form name. This could potentially be exploited by users with acce...
CVE-2023-35095 WordPress Flo Forms Plugin <= 1.0.40 is vulnerable to Cross Site Scripting (XSS)
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Flothemes Flo Forms – Easy Drag & Drop Form Builder plugin = 1.0.40 versions...
CVE-2021-4367
The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Options Change by using the floimportformsoptions AJAX action in versions up to, and including, 1.0.35 due to insufficient input sanitization and output escaping along with missing...
CVE-2020-36717
The Kali Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.1. This is due to incorrect nonce handling throughout the plugin's function. This makes it possible for unauthenticated attackers to access the plugin's administrative functions v...
Authentication flaw
The Kali Forms plugin for WordPress is vulnerable to Authenticated Options Change in versions up to, and including, 2.1.1. This is due to the updateoption lacking proper authentication checks. This makes it possible for any authenticated attacker to change or delete the plugin's settings...
Design/Logic Flaw
The Kali Forms plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 2.1.1. This is due to the kaliformsformdeleteuploadedfile function lacking any privilege or user protections. This makes it possible for unauthenticated attackers to dele...
CVE-2020-36717 Kali Forms <= 2.1.1 - Cross-Site Request Forgery
The Kali Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.1. This is due to incorrect nonce handling throughout the plugin's function. This makes it possible for unauthenticated attackers to access the plugin's administrative functions v...
PT-2023-12478
Name of the Vulnerable Software and Affected Versions: The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress versions up to, and including, 1.0.35 Description: The issue is related to Stored Cross-Site Scripting via Options Change, which occurs when using the flo import forms options...
WordPress Formidable Forms Plugin < 6.3.1 is vulnerable to Broken Access Control
Software Formidable Forms Type Plugin Vulnerable versions 6.3.1 Fixed in 6.3.1 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE N/A Patch priority Medium CVSS severity Medium 5.4 Developer Claim ownership PSID bb421c7db580 Credits WordFence Required privilege...
CVE-2023-2836
The CRM Perks Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
CVE-2023-2836
CVE-2023-2836 applies to the CRM Perks Forms plugin for WordPress. It is a stored XSS vulnerability in form settings, affecting versions up to and including 1.1.1. The root cause is insufficient input sanitization and output escaping, allowing an authenticated attacker with administrator-level pe...