PT-2023-32092 · WordPress · Funnelforms Free

Name of the Vulnerable Software and Affected Versions: Funnelforms Free plugin for WordPress versions up to, and including, 3.4 Description: The issue allows authenticated attackers with subscriber-level permissions and above to send test emails to an arbitrary email address due to a missing...

PT-2023-32081 · WordPress · Funnelforms Free

Name of the Vulnerable Software and Affected Versions: Funnelforms Free plugin for WordPress versions up to, and including, 3.4 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the fnsf copy posts function. This allows unauthenticated...

WordPress Plugin Funnelforms Free Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...

PT-2023-32091 · WordPress · Funnelforms

Name of the Vulnerable Software and Affected Versions: Funnelforms Free plugin for WordPress versions up to, and including, 3.4 Description: The issue allows authenticated attackers with subscriber-level permissions and above to modify the Funnelforms category for a given post ID due to a missing...

PT-2023-32084 · WordPress · Funnelforms Free

Name of the Vulnerable Software and Affected Versions: Funnelforms Free plugin for WordPress versions up to and including 3.4 Description: The issue allows authenticated attackers with subscriber-level permissions and above to modify data without proper authorization. This is due to a missing...

WordPress Plugin Funnelforms Free Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...

Funnelforms Free < 3.4.2 - Form Deletion/Duplication via CSRF

Description The plugin does not have CSRF checks on some of its form actions such as deletion and duplication, which could allow attackers to make logged in admin perform such actions via CSRF attacks Make a logged in admin open an HTML page with the form below Deletion This will delete the form...

Funnelforms Free < 3.4.2 - Form Deletion/Duplication via CSRF

Description The plugin does not have CSRF checks on some of its form actions such as deletion and duplication, which could allow attackers to make logged in admin perform such actions via CSRF attacks PoC Make a logged in admin open an HTML page with the form below Deletion This will delete the...

WordPress Funnelforms Free Plugin <= 3.4 is vulnerable to Cross Site Request Forgery (CSRF)

Software Funnelforms Free Type Plugin Vulnerable versions = 3.4 Fixed in 3.4.2 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-5383 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 647c8d609a9c Credits Duc Manh Required...

WordPress Funnelforms Free Plugin <= 3.4 is vulnerable to Broken Access Control

Software Funnelforms Free Type Plugin Vulnerable versions = 3.4 Fixed in 3.4.2 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2023-5385 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID dbef4dc9af18 Credits WordFence Required privilege...

WordPress Funnelforms Free Plugin <= 3.4 is vulnerable to Cross Site Request Forgery (CSRF)

Software Funnelforms Free Type Plugin Vulnerable versions = 3.4 Fixed in 3.4.2 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-5382 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID f05b14250614 Credits Duc Manh Required...

CVE-2023-4950 Funnelforms Free < 3.4 Unauthenticated Stored Cross-Site Scripting

The Interactive Contact Form and Multi Step Form Builder WordPress plugin before 3.4 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks...

CVE-2023-4950 Funnelforms Free < 3.4 Unauthenticated Stored Cross-Site Scripting

The Interactive Contact Form and Multi Step Form Builder WordPress plugin before 3.4 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks...

Funnelforms Free < 3.4 Unauthenticated Stored Cross-Site Scripting

Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks 1. Create a contact form 2. Embed the contact form shortcode on a post or page. 3. As an Unauthitncated user, inject the inputs for a malicious scri...

WordPress Funnelforms Free Plugin < 3.4 is vulnerable to Cross Site Scripting (XSS)

Software Funnelforms Free Type Plugin Vulnerable versions 3.4 Fixed in 3.4 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE N/A Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID a66c581b7251 Credits Unknown Required privilege...

WordPress Funnelforms Free Plugin < 3.3.8.5 is vulnerable to Cross Site Scripting (XSS)

Software Funnelforms Free Type Plugin Vulnerable versions 3.3.8.5 Fixed in 3.3.8.5 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-33999 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 8ac7f31605d7 Credits Rafie Muhammad Patchstack...