Forms < 1.12.3 - Authenticated Stored Cross-Site Scripting (XSS)

2021-07-0300:00:00

SHUBHANGI DAWKHAR

0.001 Low

EPSS

Percentile

24.9%

JSON

The plugin did not sanitise its input fields, leading to Stored Cross-Site scripting issues. The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the Forms “Add new” field.

Step 1: Install and activate the plugin. 

Step 2: Go to the Forms--> Add New.

Step 3: Enter the following payload in the "Title" Field and click on save button.

<script>alert(1)</script>

Step 4: Now the script is stored and whenever the user goes to the plugin the script will be executed.

References

plugins.trac.wordpress.org/changeset/2558899/forms-by-made-it

0.001 Low

EPSS

Percentile

24.9%

JSON

Related for WPEX-ID:550E08AC-4C3A-4E22-8E98-BC5BFC020CA9