CVE-2021-38335 Wise Agent Capture Forms <= 1.0 Reflected Cross-Site Scripting

The Wise Agent Capture Forms WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /WiseAgentCaptureForm.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0...

CVE-2021-38335

The CVE-2021-38335 entry relates to the WordPress plugin Wise Agent Capture Forms (

WordPress 插件 跨站脚本漏洞

WordPress Plugin is an open source application plugin for WordPress. A cross-site scripting vulnerability exists in the WordPress plugin Wise Agent Capture Forms, which stems from the vulnerability of version 1.0 of the Wise Agent Capture Forms WordPress plugin to reflected cross-site scripting...

WordPress Wise Agent Lead Capture Forms plugin <= 1.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress Wise Agent Lead Capture Forms plugin versions = 1.0. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...

Wise Agent Capture Forms <= 1.0 - Reflected Cross-Site Scripting

The plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /WiseAgentCaptureForm.php file which allows attackers to inject arbitrary web scripts...

CVE-2021-24513

The Form Builder | Create Responsive Contact Forms WordPress plugin before 1.9.8.4 does not sanitise or escape its Form Title, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfilteredhtml capability is disallowed...

CVE-2021-24513

Affected software: WordPress Form Builder plugin (pre-1.9.8.4). Vulnerability: Authenticated stored XSS via unsanitized/unsted Form Title. Root cause: Form Title not sanitized/escaped, enabling injection by privileged users (e.g., admin). Impact: Client-side script execution in admin context; aff...

Cross-site Request Forgery (CSRF) in joplin

The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery CSRF due to missing CSRF checks in various forms...

WordPress GetPaid payments plugin 2.4.6 - HTML Injection Vulnerability

Exploit Title: WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection Exploit Author: Niraj Mahajan Software Link: https://wordpress.org/plugins/invoicing/ Version: 2.4.6 Tested on Windows Steps to Reproduce: 1. Install Wordpress 5.8 2. Install and Activate "WordPress Payments Plugin |...

WordPress GetPaid 2.4.6 HTML Injection

Exploit Title: WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection Date: 29/08/2021 Exploit Author: Niraj Mahajan Software Link: https://wordpress.org/plugins/invoicing/ Version: 2.4.6 Tested on Windows Steps to Reproduce: 1. Install Wordpress 5.8 2. Install and Activate "WordPress...

WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection

Exploit Title: WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection Date: 29/08/2021 Exploit Author: Niraj Mahajan Software Link: https://wordpress.org/plugins/invoicing/ Version: 2.4.6 Tested on Windows Steps to Reproduce: 1. Install Wordpress 5.8 2. Install and Activate "WordPress...

Form Tools 跨站脚本漏洞

A cross-site scripting vulnerability exists in Form Tools 3.0.20 and earlier. An attacker could use the submissionid parameter to trigger a stored cross-site scripting attack when viewing a form...

Design/Logic Flaw

Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack through the contact's first or last name and triggered when viewing a contact's details page then clicking on the action drop down and hovering over the Campaigns button. Contact first and last name can be populated from...

DRK Odenwaldkreis Testerfassung 跨站脚本漏洞

DRK Odenwaldkreis Testerfassung is an open source solution for obtaining and recording rapid test results for corona antigens.A cross-site scripting vulnerability exists in DRK Odenwaldkreis Testerfassung March-2021, which can be exploited by attackers to inject arbitrary web script or HTML via a...

Cross-site Scripting (XSS) - Generic in forkcms/library

✍️ Description Please enter a description of the vulnerability. XSS is possible when the option allowHTML was set to true for text inputs and textfields 🕵️‍♂️ Proof of Concept http://demo.fork-cms.com/en/search?form=search&qwidget=%22%3E%3Csvg/onload=alertdocument.domain%3E 💥 Impact XSS attacks can...

Adobe: AEM forms XXE Vulnerability

AEM Forms Cloud Service offering, as well as version 6.5.10.0 and below are affected by an XML External Entity XXE injection vulnerability that could be abused by an attacker to achieve RCE. CVE: CVE-2021-40722 Ref: https://helpx.adobe.com/security/products/experience-manager/apsb21-103.html We...

CVE-2021-37334

Umbraco Forms version 4.0.0 up to and including 8.7.5 and below are vulnerable to a security flaw that could lead to a remote code execution attack and/or arbitrary file deletion. A vulnerability occurs because validation of the file extension is performed after the file has been stored in a...

CVE-2021-37334

Umbraco Forms version 4.0.0 up to and including 8.7.5 and below are vulnerable to a security flaw that could lead to a remote code execution attack and/or arbitrary file deletion. A vulnerability occurs because validation of the file extension is performed after the file has been stored in a...

Arbitrary file deletion

Umbraco Forms version 4.0.0 up to and including 8.7.5 and below are vulnerable to a security flaw that could lead to a remote code execution attack and/or arbitrary file deletion. A vulnerability occurs because validation of the file extension is performed after the file has been stored in a...

CVE-2021-37334

Umbraco Forms versions 4.0.0 through 8.7.5 (and older) are vulnerable to remote code execution and arbitrary file deletion due to file-extension validation occurring after files are stored in a temporary directory (%BASEDIR%/APP_DATA/TEMP/FileUploads/). The web.config protections restricting this...