CVE-2021-39353 Easy Registration Forms <= 2.1.1 Cross-Site Request Forgery to Stored Cross-Site Scripting

The Easy Registration Forms WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the ajaxaddform function found in the /includes/class-form.php file which made it possible for attackers to inject arbitrary web scripts in versions up to, and including...

CVE-2021-39353 Easy Registration Forms <= 2.1.1 Cross-Site Request Forgery to Stored Cross-Site Scripting

The Easy Registration Forms WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the ajaxaddform function found in the /includes/class-form.php file which made it possible for attackers to inject arbitrary web scripts in versions up to, and including...

CVE-2021-39353

The CVE-2021-39353 entry concerns the WordPress plugin Easy Registration Forms (versions up to 2.1.1). The vulnerability is Cross-Site Request Forgery caused by missing nonce validation in the ajax_add_form function within includes/class-form.php, enabling an attacker to inject arbitrary web scri...

WordPress Easy Registration Forms plugin <= 2.1.1 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS discovered by Thinkland Security Team in WordPress Easy Registration Forms plugin versions = 2.1.1. Solution Deactivate and delete. This plugin has been closed as of November 12, 2021 and is not available for...

Easy Registration Forms <= 2.1.1 - CSRF to Stored Cross-Site Scripting

The plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the ajaxaddform function found in the /includes/class-form.php file which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 2.1.1...

WordPress NEX-Forms – Ultimate Form Builder plugin <= 8.1 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Stored Cross-Site Scripting XSS vulnerabilities were discovered by Shivam Rai in WordPress NEX-Forms – Ultimate Form Builder plugin versions = 8.1. Solution Deactivate and delete. This plugin has been closed as of October 4, 2021 and is not available for download. This closure is...

NEX-Forms <= 7.9.4 - Multiple Admin+ Stored Cross-Site Scripting

The plugin does not escape some of its settings and form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. In Global Setting Preferences Validation, put the following...

Contact Form 7 Database Addon < 1.2.6.1 - Arbitrary Form Deletion via CSRF

The plugin does not have CSRF check when processing bulk actions, which could allow attackers to make logged in admin delete arbitrary forms for example...

WordPress Caldera Forms plugin <= 1.9.4 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Dhananjay Garg in WordPress Caldera Forms plugin versions = 1.9.4. Solution Update the WordPress Caldera Forms plugin to the latest available version at least 1.9.5...

Caldera forms < 1.9.5 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Create/edit a form, and put the following payload in the Form Name vi...

Caldera forms < 1.9.5 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create/edit a form, and put the following payload in the Form Name via th...

WordPress Wow Forms plugin SQL injection vulnerability (CNVD-2021-99632)

WordPress is a set of blogging platforms developed using the PHP language by the Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A security vulnerability exists in the WordPress Wow Forms plugin in version 3.1.3 and earlier, which stems fr...

CVE-2021-24731

The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection...

CVE-2021-24731

The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection...

CVE-2021-24628

The Wow Forms WordPress plugin through 3.1.3 does not sanitise or escape a 'did' GET parameter before using it in a SQL statement, when deleting a form in the admin dashboard, leading to an authenticated SQL injection...

CVE-2021-24647

The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.1.7.6 has a flaw in the social login implementation, allowing unauthenticated attacker to login as any user on the site by only knowing their user ID or userna...

Information disclosure

The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.1.7.6 has a flaw in the social login implementation, allowing unauthenticated attacker to login as any user on the site by only knowing their user ID or...

Sql injection

The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection...

CVE-2021-24628

The CVE concerns WordPress Wow Forms plugin

WordPress SQL注入漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports personal blog sites on PHP and MySQL servers. WordPress Plugin Registration Forms â€" User profile, Content Restriction, Spam Protection, Payment Gateways,...