Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpvulndbTri Wanda SeptianWPVDB-ID:5E442DD9-A49D-4A8E-959B-199A8689DA4B
HistoryJul 12, 2022 - 12:00 a.m.

weForms < 1.6.14 - Admin+ Stored Cross-Site Scripting

2022-07-1200:00:00
Tri Wanda Septian
wpscan.com
15

0.001 Low

EPSS

Percentile

25.0%

JSON

The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PoC

On the dashboard navigate to weForms > All Forms > Add Form > Choose Contact Form; Click Create Form > Settings Inject with cross-site scripting (xss) payload: on Message to Show form. Save Form On the post/page containing the form, fill up the contact form and submit it to trigger the payload

CPENameOperatorVersion
weformslt1.6.14

Related

cvelist 1
wpexploit 1
cve 1
prion 1
patchstack 1
nvd 1
cvelist
cvelist
CVE-2022-2395 weForms < 1.6.14 - Admin+ Stored Cross-Site Scripting
2022-08-08 13:48:42
wpexploit
wpexploit
weForms < 1.6.14 - Admin+ Stored Cross-Site Scripting
2022-07-12 00:00:00
cve
cve
CVE-2022-2395
2022-08-08 14:15:09
prion
prion
Cross site scripting
2022-08-08 14:15:00
patchstack
patchstack
WordPress weForms plugin <= 1.6.13 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
2022-07-12 00:00:00
nvd
nvd
CVE-2022-2395
2022-08-08 14:15:09

0.001 Low

EPSS

Percentile

25.0%

JSON
Related for WPVDB-ID:5E442DD9-A49D-4A8E-959B-199A8689DA4B
cvelist1wpexploit1cve1prion1patchstack1nvd1