Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution

The plugin does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site,...

WordPress Constant Contact Forms Plugin <= 2.0.3 is vulnerable to Broken Access Control

Software Constant Contact Forms Type Plugin Vulnerable versions = 2.0.3 Fixed in 2.1.0 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2023-34387 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 8b821c0ab713 Credits István Márton Required...

Urgent WordPress Update Fixes Critical Flaw in Jetpack Plugin on Million of Sites

WordPress has issued an automatic update to address a critical flaw in the Jetpack plugin that's installed on over five million sites. The vulnerability, which was unearthed during an internal security audit, resides in an API present in the plugin since version 2.0, which was released in Novembe...

WordPress Formidable Forms Plugin < 6.3.1 is vulnerable to Broken Access Control

Software Formidable Forms Type Plugin Vulnerable versions 6.3.1 Fixed in 6.3.1 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE N/A Patch priority Medium CVSS severity Medium 5.4 Developer Claim ownership PSID bb421c7db580 Credits WordFence Required privilege...

CVE-2023-33971 Formcreator vulnerable to stored XSS from ##FULLFORM##

Formcreator is a GLPI plugin which allow creation of custom forms and the creation of one or more tickets when the form is filled. A probable stored cross-site scripting vulnerability is present in Formcreator 2.13.5 and prior via the use of the use of FULLFORM for rendering. This could result in...

CVE-2023-33971 Formcreator vulnerable to stored XSS from ##FULLFORM##

Formcreator is a GLPI plugin which allow creation of custom forms and the creation of one or more tickets when the form is filled. A probable stored cross-site scripting vulnerability is present in Formcreator 2.13.5 and prior via the use of the use of FULLFORM for rendering. This could result in...

CVE-2023-2836

The CRM Perks Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

CVE-2023-2836

The CRM Perks Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

CVE-2023-2836 CRM Perks Forms <= 1.1.1 - Authenticated (Admin+) Stored Cross-Site Scripting

The CRM Perks Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

CVE-2023-2836 CRM Perks Forms <= 1.1.1 - Authenticated (Admin+) Stored Cross-Site Scripting

The CRM Perks Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

CVE-2023-2836

CVE-2023-2836 applies to the CRM Perks Forms plugin for WordPress. It is a stored XSS vulnerability in form settings, affecting versions up to and including 1.1.1. The root cause is insufficient input sanitization and output escaping, allowing an authenticated attacker with administrator-level pe...

WordPress CRM Perks Forms Plugin <= 1.1.1 is vulnerable to Cross Site Scripting (XSS)

Software CRM Perks Forms Type Plugin Vulnerable versions = 1.1.1 Fixed in 1.1.2 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-2836 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 82373127ce0e Credits Unknown Required privile...

WordPress Plugin CRM Perks Forms 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...

CVE-2023-2518

The Easy Forms for Mailchimp WordPress plugin before 6.8.9 does not sanitise and escape a parameter before outputting it back in the page when the debug option is enabled, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2023-2518 Easy Forms for Mailchimp < 6.8.9 - Reflected XSS

The Easy Forms for Mailchimp WordPress plugin before 6.8.9 does not sanitise and escape a parameter before outputting it back in the page when the debug option is enabled, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2023-2518

CVE-2023-2518 affects the WordPress plugin Easy Forms for Mailchimp prior to version 6.8.9. The vulnerability is a reflected Cross-Site Scripting caused by insufficient sanitisation/escaping of a parameter (sql_error) when the plugin’s debug option is enabled, allowing an attacker to execute arbi...

PT-2023-19962 · WordPress · Easy Forms For Mailchimp

Name of the Vulnerable Software and Affected Versions: Easy Forms for Mailchimp WordPress plugin versions prior to 6.8.9 Description: The issue is related to a Reflected Cross-Site Scripting problem. It occurs when the debug option is enabled, and a parameter is not properly sanitised and escaped...

CRM Perks Forms < 1.1.2 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitize and escape the formid field in the plugin settings page, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup. PoC...

CRM Perks Forms < 1.1.2 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitize and escape the formid field in the plugin settings page, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup...

CVE-2023-27613

Unauth. Reflected Cross-Site Scripting XSS vulnerability in MonitorClick Forms Ada – Form Builder plugin = 1.0 versions...