Lucene search
Tri Wanda SeptianWPEX-ID:5E442DD9-A49D-4A8E-959B-199A8689DA4BHistoryJul 12, 2022 - 12:00 a.m.
weForms < 1.6.14 - Admin+ Stored Cross-Site Scripting
2022-07-1200:00:00
Tri Wanda Septian
154
0.001 Low
EPSS
Percentile
25.0%
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
On the dashboard navigate to weForms > All Forms > Add Form > Choose Contact Form;
Click Create Form > Settings
Inject with cross-site scripting (xss) payload: <img src=x onerror=alert(document.cookie);> on Message to Show form.
Save Form
On the post/page containing the form, fill up the contact form and submit it to trigger the payloadRelated
cvelist
cvelist
CVE-2022-2395 weForms < 1.6.14 - Admin+ Stored Cross-Site Scripting
2022-08-08 13:48:42
cve
cve
CVE-2022-2395
2022-08-08 14:15:09
wpvulndb
wpvulndb
weForms < 1.6.14 - Admin+ Stored Cross-Site Scripting
2022-07-12 00:00:00
prion
prion
Cross site scripting
2022-08-08 14:15:00
patchstack
patchstack
nvd
nvd
CVE-2022-2395
2022-08-08 14:15:09