CVE-2024-3649 Contact Form by WPForms – Drag & Drop Form Builder for WordPress <= 1.8.7.2 - Unauthenticated Price Manipulation

The Contact Form by WPForms – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to price manipulation in versions up to, and including, 1.8.7.2. This is due to a lack of controls on several product parameters. This makes it possible for unauthenticated attackers to...

CVE-2024-3649

The CVE CVE-2024-3649 concerns the WordPress plugin Contact Form by WPForms – Drag & Drop Form Builder for WordPress. Affected: WPForms Lite (Contact Form by WPForms) versions up to 1.8.7.2. Root cause: lack of controls on several product parameters during Stripe purchases enables price manipulat...

WordPress Contact Form by WPForms plugin <= 1.8.7.2 - Unauthenticated Price Manipulation vulnerability

Unauthenticated Price Manipulation vulnerability discovered by Asaf Mozes in WordPress Plugin Contact Form by WPForms versions = 1.8.7.2...

PT-2024-27026 · Stripe +1 · Stripe +1

Name of the Vulnerable Software and Affected Versions: The Contact Form by WPForms – Drag & Drop Form Builder for WordPress versions up to, and including, 1.8.7.2 Description: The issue is related to price manipulation due to a lack of controls on several product parameters. This allows...

WordPress Contact Form by WPForms Plugin <= 1.8.7.2 is vulnerable to Broken Access Control

Software Contact Form by WPForms Type Plugin Vulnerable versions = 1.8.7.2 Fixed in 1.8.8.2 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-3649 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID f3183fdcee99 Credits Asaf Mozes Require...

Database for Contact Form 7, WPforms, Elementor forms < 1.3.9 - Unauthenticated Stored Cross-Site Scripting

Description The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

PDF Builder for WPForms < 1.2.89 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The PDF Builder for WPForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' variable in versions up to, and including, 1.2.88 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-29820

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in RedNao PDF Builder for WPForms allows Stored XSS.This issue affects PDF Builder for WPForms: from n/a through 1.2.88...

CVE-2024-29820 WordPress PDF Builder for WPForms plugin <= 1.2.88 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in RedNao PDF Builder for WPForms allows Stored XSS.This issue affects PDF Builder for WPForms: from n/a through 1.2.88...

CVE-2024-29820

CVE-2024-29820 is a stored XSS in RedNao PDF Builder for WPForms caused by improper neutralization of input during web page generation. Affected product: PDF Builder for WPForms, versions: n/a through 1.2.88. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (base 6.5, MEDIUM). Connected sourc...

WordPress PDF Builder for WPForms Plugin <= 1.2.88 is vulnerable to Cross Site Scripting (XSS)

Software PDF Builder for WPForms Type Plugin Vulnerable versions = 1.2.88 Fixed in 1.2.89 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-29820 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 7f7911ba8d07 Credits LVT-tholv2k Required privile...

CVE-2024-2030

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2024-2030

The CVE-2024-2030 entry covers a stored XSS in the WordPress plugin set “Database for Contact Form 7, WPforms, Elementor forms” (contact-form-entries) up to version 1.3.3. The underlying issue is insufficient input sanitization and output escaping for user-supplied attributes in the plugin’s shor...

CVE-2024-0371

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'createview' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated...

CVE-2024-0370

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveview' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated...

Cross site request forgery (csrf)

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.2. This is due to missing or incorrect nonce validation on the 'createview' function. This makes it possible for...

Design/Logic Flaw

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'createview' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated...

CVE-2024-0373

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.2. This is due to missing or incorrect nonce validation on the 'saveview' function. This makes it possible for...

CVE-2024-0371

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'createview' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated...

Cross site request forgery (csrf)

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.2. This is due to missing or incorrect nonce validation on the 'saveview' function. This makes it possible for...