WordPress Formidable Forms Plugin <= 5.5.6 is vulnerable to Cross Site Request Forgery (CSRF)

Software Formidable Forms Type Plugin Vulnerable versions = 5.5.6 Fixed in 5.5.7 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-24419 Patch priority Low CVSS severity Low 7.1 Developer Claim ownership PSID ea449e0665e1 Credits Rafshanzani Suhada...

Formidable Forms < 5.5.7 - Arbitrary Entry Deletion via CSRF

The plugin does not have CSRF check when deleting entries, which could allow attackers to make logged in admins perform such action via a CSRF attack...

WordPress Zoho Forms Plugin < 3.0.1 is vulnerable to Cross Site Scripting (XSS)

Software Zoho Forms Type Plugin Vulnerable versions 3.0.1 Fixed in 3.0.1 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0169 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 2d6c8ebd7daa Credits István Márton Required...

Zoho Forms < 3.0.1 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC As a contributor, put the following in ...

Zoho Forms < 3.0.1 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. As a contributor, put the following in a bl...

WordPress Conversational Forms for ChatBot Plugin <= 1.1.6 is vulnerable to Cross Site Scripting (XSS)

Software Conversational Forms for ChatBot Type Plugin Vulnerable versions = 1.1.6 Fixed in 1.1.7 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-23981 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 1354354e56fe Credits Rio...

Conversational Forms for ChatBot < 1.1.7 - Admin+ Stored XSS

The plugin does not sanitise and escape a form name, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

DRUPAL-CONTRIB-2023-004

This module enables you to use the media library in custom forms without the Media Library Widget. The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access. The...

Cross-site Scripting (XSS)

apachesuperset is vulnerable to Cross-Site Scripting XSS attacks. The library does not properly render user inputs via the Upload data forms endpoint, allowing an authenticated attacker with database connection update permissions to inject and execute malicious JavaScript...

VulnCheck KEV: CVE-2021-24164

In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wpajaxnfoauth, and retrieve the connection url needed to establish a connection. They could also retrieve the clientid for an already established OAuth...

Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004

This module enables you to use the media library in custom forms without the Media Library Widget. The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access. The...

Apache Superset is vulnerable to Cross-Site Scripting (XSS)

Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...

CVE-2022-43718

Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...

Design/Logic Flaw

Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...

CVE-2022-43718 Apache Superset: Cross-Site Scripting vulnerability on upload forms

Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...

CVE-2022-43718 Apache Superset: Cross-Site Scripting vulnerability on upload forms

Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0...

PT-2023-14303 · Apache · Apache Superset

Name of the Vulnerable Software and Affected Versions: Apache Superset versions 1.5.2 and prior Apache Superset version 2.0.0 Description: The issue arises from upload data forms not correctly rendering user input, leading to possible XSS attack vectors. These attacks can be performed by...

CVE-2022-38467

Reflected Cross-Site Scripting XSS vulnerability in CRM Perks Forms – WordPress Form Builder = 1.1.0 ver...

CVE-2022-38467

Reflected Cross-Site Scripting XSS vulnerability in CRM Perks Forms – WordPress Form Builder = 1.1.0 ver...

EUVD-2022-41050

Reflected Cross-Site Scripting XSS vulnerability in CRM Perks Forms – WordPress Form Builder = 1.1.0 ver...