CVE-2024-1905

The Smart Forms WordPress plugin before 2.6.96 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-1905 Smart Forms < 2.6.96 - Admin+ Stored XSS

The Smart Forms WordPress plugin before 2.6.96 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-1905 Smart Forms < 2.6.96 - Admin+ Stored XSS

The Smart Forms WordPress plugin before 2.6.96 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

WordPress plugin Smart Forms 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in...

PT-2024-30296 · Hubbank · Hubbank

Name of the Vulnerable Software and Affected Versions: HubBank version 1.0.2 Description: The issue is a Cross-site Scripting XSS vulnerability that allows an attacker to send a specially crafted JavaScript payload to registration and profile forms. This payload can be triggered when any...

WordPress plugin Smart Forms 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

WordPress Smart Forms Plugin < 2.6.96 is vulnerable to Cross Site Scripting (XSS)

Software Smart Forms Type Plugin Vulnerable versions 2.6.96 Fixed in 2.6.96 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-1905 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID f2ffffc8c85a Credits Bob Matyas Required privileg...

MailerLite – Signup forms (official) < 1.7.7 - Missing Authorization

Description The MailerLite – Signup forms official plugin for WordPress is vulnerable to unauthorized plugin setting changes due to a missing capability check on the toggleRolesAndPermissions and editAllowedRolesAndPermissions functions in all versions up to, and including, 1.7.6. This makes it...

RomethemeForm For Elementor < 1.1.3 - Missing Authorization

Description The RomethemeForm For Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to modify forms...

HubBank 跨站脚本漏洞

HubBank is an app from HubBank, Inc. A cross-site scripting vulnerability exists in HubBank version 1.0.2, which stems from the lack of effective filtering and escaping of user-supplied data on registration and profile forms, and can be exploited by an attacker to execute arbitrary web script or...

PT-2024-25362 · Rednao · Rednao Smart Forms

Name of the Vulnerable Software and Affected Versions: RedNao Smart Forms versions 2.6.91 and earlier Description: The issue is related to a Missing Authorization vulnerability in RedNao Smart Forms. Recommendations: For RedNao Smart Forms versions 2.6.91 and earlier, at the moment, there is no...

PT-2024-18411 · WordPress · Smart Forms

Name of the Vulnerable Software and Affected Versions: The Smart Forms WordPress plugin versions prior to 2.6.96 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible because some settings are not properly sanitised an...

WordPress Smart Forms plugin <= 2.6.91 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Dhabaleshwar Das Patchstack Alliance in WordPress Plugin Smart Forms versions = 2.6.91...

WordPress Smart Forms Plugin <= 2.6.91 is vulnerable to Broken Access Control

Software Smart Forms Type Plugin Vulnerable versions = 2.6.91 Fixed in 2.6.92 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-33593 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 810e0b29d7f7 Credits Dhabaleshwar Das Required...

WordPress ChatBot Conversational Forms plugin <= 1.1.8 - Arbitrary File Download vulnerability

Arbitrary File Download vulnerability discovered by Yudistira Arya Patchstack Alliance in WordPress Plugin Conversational Forms for ChatBot versions = 1.1.8...

WordPress Conversational Forms for ChatBot Plugin <= 1.1.8 is vulnerable to Arbitrary File Download

Software Conversational Forms for ChatBot Type Plugin Vulnerable versions = 1.1.8 Fixed in 1.2.0 OWASP Top 10 A1: Broken Access Control Classification Arbitrary File Download CVE CVE-2024-32729 Patch priority Low CVSS severity Low 7.5 Developer Claim ownership PSID 27e83c0724e4 Credits Yudistira...

Cross-site Scripting (XSS)

keycloak is vulnerable to Cross-site Scripting XSS. The vulnerability is due to allowing arbitrary URLs, including JavaScript URIs javascript:, as SAML Assertion Consumer Service POST Binding URL ACS. Allowing JavaScript URIs in combination with HTML forms results in Cross-site Scripting in the...

Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow

Keycloak allows arbitrary URLs as SAML Assertion Consumer Service POST Binding URL ACS, including JavaScript URIs javascript:. Allowing JavaScript URIs in combination with HTML forms leads to JavaScript evaluation in the context of the embedding origin on form submission. Acknowledgements: Specia...

CVE-2024-32510

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Loopus WP Cost Estimation & Payment Forms Builder allows Reflected XSS.This issue affects WP Cost Estimation & Payment Forms Builder: from n/a through 10.1.75...

CVE-2024-32527

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Jotform Jotform Online Forms allows Stored XSS.This issue affects Jotform Online Forms: from n/a through 1.3.1...