Lucene search
Akash Rajendra PatilWPVDB-ID:A1AE4512-0B5B-4F36-8334-14633BF24758HistoryApr 07, 2022 - 12:00 a.m.
Visual Form Builder < 3.0.7 - Admin+ Stored Cross-Site Scripting
2022-04-0700:00:00
Akash Rajendra Patil
wpscan.com
9
visual form builder
admin
stored cross-site scripting
cross-site scripting
unfiltered html
email field
security issue
EPSS
0.001
Percentile
24.8%
The plugin does not sanitise and escape the form’s ‘Email to’ field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PoC
Create/edit a form and put the following payload in the ‘E-mail To’ field: "> The XSS will be triggered when editing the form
Related
cve
cve
CVE-2022-1046
2022-05-02 16:15:08
prion
prion
Cross site scripting
2022-05-02 16:15:00
cnvd
cnvd
WordPress Visual Form Builder plugin cross-site scripting vulnerability
2022-05-07 00:00:00
cvelist
cvelist
patchstack
patchstack
nvd
nvd
CVE-2022-1046
2022-05-02 16:15:08
wpexploit
wpexploit
Visual Form Builder < 3.0.7 - Admin+ Stored Cross-Site Scripting
2022-04-07 00:00:00