Search criteria
4 vulnerabilities found for Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress by Unknown
CVE-2021-24884 (GCVE-0-2021-24884)
Vulnerability from cvelistv5 – Published: 2021-10-25 13:20 – Updated: 2024-08-03 19:49
VLAI?
Title
Formidable Form Builder < 4.09.05 - Unauthenticated Stored Cross-Site Scripting
Summary
The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like <audio>,<video>,<img>,<a> and<button>.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the "data-frmverify" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress |
Affected:
4.09.05 , < 4.09.05
(custom)
|
Credits
Maximilian Barz
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:49:14.206Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Strategy11/formidable-forms/pull/335/files"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.09.05",
"status": "affected",
"version": "4.09.05",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Maximilian Barz"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like \u003caudio\u003e,\u003cvideo\u003e,\u003cimg\u003e,\u003ca\u003e and\u003cbutton\u003e.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the \"data-frmverify\" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-25T13:20:59",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Strategy11/formidable-forms/pull/335/files"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Formidable Form Builder \u003c 4.09.05 - Unauthenticated Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24884",
"STATE": "PUBLIC",
"TITLE": "Formidable Form Builder \u003c 4.09.05 - Unauthenticated Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.09.05",
"version_value": "4.09.05"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Maximilian Barz"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like \u003caudio\u003e,\u003cvideo\u003e,\u003cimg\u003e,\u003ca\u003e and\u003cbutton\u003e.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the \"data-frmverify\" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533"
},
{
"name": "https://github.com/Strategy11/formidable-forms/pull/335/files",
"refsource": "MISC",
"url": "https://github.com/Strategy11/formidable-forms/pull/335/files"
},
{
"name": "https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf",
"refsource": "MISC",
"url": "https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24884",
"datePublished": "2021-10-25T13:20:59",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:49:14.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24608 (GCVE-0-2021-24608)
Vulnerability from cvelistv5 – Published: 2021-10-25 13:20 – Updated: 2024-08-03 19:35
VLAI?
Title
Formidable Form Builder < 5.0.07 - Admin+ Stored Cross-Site Scripting
Summary
The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress |
Affected:
5.0.07 , < 5.0.07
(custom)
|
Credits
Asif Nawaz Minhas
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:20.214Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/75305ea8-730b-4caf-a3c6-cb94adee683c"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2609911"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.0.07",
"status": "affected",
"version": "5.0.07",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Asif Nawaz Minhas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form\u0027s Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-25T13:20:45",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/75305ea8-730b-4caf-a3c6-cb94adee683c"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2609911"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Formidable Form Builder \u003c 5.0.07 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24608",
"STATE": "PUBLIC",
"TITLE": "Formidable Form Builder \u003c 5.0.07 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "5.0.07",
"version_value": "5.0.07"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Asif Nawaz Minhas"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form\u0027s Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/75305ea8-730b-4caf-a3c6-cb94adee683c",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/75305ea8-730b-4caf-a3c6-cb94adee683c"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2609911",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2609911"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24608",
"datePublished": "2021-10-25T13:20:45",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:35:20.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24884 (GCVE-0-2021-24884)
Vulnerability from nvd – Published: 2021-10-25 13:20 – Updated: 2024-08-03 19:49
VLAI?
Title
Formidable Form Builder < 4.09.05 - Unauthenticated Stored Cross-Site Scripting
Summary
The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like <audio>,<video>,<img>,<a> and<button>.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the "data-frmverify" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress |
Affected:
4.09.05 , < 4.09.05
(custom)
|
Credits
Maximilian Barz
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:49:14.206Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Strategy11/formidable-forms/pull/335/files"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.09.05",
"status": "affected",
"version": "4.09.05",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Maximilian Barz"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like \u003caudio\u003e,\u003cvideo\u003e,\u003cimg\u003e,\u003ca\u003e and\u003cbutton\u003e.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the \"data-frmverify\" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-25T13:20:59",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Strategy11/formidable-forms/pull/335/files"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Formidable Form Builder \u003c 4.09.05 - Unauthenticated Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24884",
"STATE": "PUBLIC",
"TITLE": "Formidable Form Builder \u003c 4.09.05 - Unauthenticated Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.09.05",
"version_value": "4.09.05"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Maximilian Barz"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like \u003caudio\u003e,\u003cvideo\u003e,\u003cimg\u003e,\u003ca\u003e and\u003cbutton\u003e.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the \"data-frmverify\" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/b57dacdd-43c2-48f8-ac1e-eb8306b22533"
},
{
"name": "https://github.com/Strategy11/formidable-forms/pull/335/files",
"refsource": "MISC",
"url": "https://github.com/Strategy11/formidable-forms/pull/335/files"
},
{
"name": "https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf",
"refsource": "MISC",
"url": "https://github.com/S1lkys/XSS-in-Formidable-4.09.04/blob/main/XSS-in-Formidable-4.09.04.pdf"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24884",
"datePublished": "2021-10-25T13:20:59",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:49:14.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24608 (GCVE-0-2021-24608)
Vulnerability from nvd – Published: 2021-10-25 13:20 – Updated: 2024-08-03 19:35
VLAI?
Title
Formidable Form Builder < 5.0.07 - Admin+ Stored Cross-Site Scripting
Summary
The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress |
Affected:
5.0.07 , < 5.0.07
(custom)
|
Credits
Asif Nawaz Minhas
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:20.214Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/75305ea8-730b-4caf-a3c6-cb94adee683c"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2609911"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.0.07",
"status": "affected",
"version": "5.0.07",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Asif Nawaz Minhas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form\u0027s Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-25T13:20:45",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/75305ea8-730b-4caf-a3c6-cb94adee683c"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2609911"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Formidable Form Builder \u003c 5.0.07 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24608",
"STATE": "PUBLIC",
"TITLE": "Formidable Form Builder \u003c 5.0.07 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "5.0.07",
"version_value": "5.0.07"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Asif Nawaz Minhas"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Formidable Form Builder \u2013 Contact Form, Survey \u0026 Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form\u0027s Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/75305ea8-730b-4caf-a3c6-cb94adee683c",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/75305ea8-730b-4caf-a3c6-cb94adee683c"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2609911",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2609911"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24608",
"datePublished": "2021-10-25T13:20:45",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:35:20.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}