Search criteria
15 vulnerabilities found for visual_form_builder by vfbpro
FKIE_CVE-2022-1046
Vulnerability from fkie_nvd - Published: 2022-05-02 16:15 - Updated: 2024-11-21 06:39
Severity ?
Summary
The Visual Form Builder WordPress plugin before 3.0.7 does not sanitise and escape the form's 'Email to' field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/a1ae4512-0b5b-4f36-8334-14633bf24758 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/a1ae4512-0b5b-4f36-8334-14633bf24758 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vfbpro | visual_form_builder | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vfbpro:visual_form_builder:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "F589457E-7991-4D26-832F-93F867B03B67",
"versionEndExcluding": "3.0.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.7 does not sanitise and escape the form\u0027s \u0027Email to\u0027 field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed"
},
{
"lang": "es",
"value": "El plugin Visual Form Builder de WordPress versiones anteriores a 3.0.7, no sanea ni escapa del campo \"Email to\" del formulario, lo que podr\u00eda permitir a usuarios muy privilegiados llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html est\u00e1 deshabilitada"
}
],
"id": "CVE-2022-1046",
"lastModified": "2024-11-21T06:39:55.523",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-02T16:15:08.717",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/a1ae4512-0b5b-4f36-8334-14633bf24758"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/a1ae4512-0b5b-4f36-8334-14633bf24758"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-0140
Vulnerability from fkie_nvd - Published: 2022-04-12 12:15 - Updated: 2024-11-21 06:37
Severity ?
Summary
The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint.
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336 | Exploit, Third Party Advisory | |
| contact@wpscan.com | https://www.fortiguard.com/zeroday/FG-VD-21-082 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.fortiguard.com/zeroday/FG-VD-21-082 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vfbpro | visual_form_builder | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vfbpro:visual_form_builder:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "2525917B-7FE5-465E-9AF3-0C716783530B",
"versionEndExcluding": "3.0.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint."
},
{
"lang": "es",
"value": "El plugin Visual Form Builder WordPress antes de la versi\u00f3n 3.0.8 no realiza un control de acceso en la exportaci\u00f3n de formularios de entrada, permitiendo a los usuarios no autentificados ver las entradas del formulario o exportarlo como un archivo CSV usando el endpoint vfb-export"
}
],
"id": "CVE-2022-0140",
"lastModified": "2024-11-21T06:37:59.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-12T12:15:08.183",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336"
},
{
"source": "contact@wpscan.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-082"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-082"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-0141
Vulnerability from fkie_nvd - Published: 2022-04-12 12:15 - Updated: 2024-11-21 06:37
Severity ?
Summary
The Visual Form Builder WordPress plugin before 3.0.8 does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vfbpro | visual_form_builder | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vfbpro:visual_form_builder:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "2525917B-7FE5-465E-9AF3-0C716783530B",
"versionEndExcluding": "3.0.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.8 does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks"
},
{
"lang": "es",
"value": "El plugin Visual Form Builder de WordPress versiones anteriores a 3.0.8 no aplica las comprobaciones de nonce, lo que podr\u00eda permitir a atacantes hacer que un administrador o editor con sesi\u00f3n iniciada elimine y restaure entradas de formulario arbitrarias por medio de ataques de tipo CSRF"
}
],
"id": "CVE-2022-0141",
"lastModified": "2024-11-21T06:37:59.380",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-12T12:15:08.237",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/2adc8390-bb19-4adf-9805-e9c462d14d22"
},
{
"source": "contact@wpscan.com",
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-081"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/2adc8390-bb19-4adf-9805-e9c462d14d22"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-081"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-0142
Vulnerability from fkie_nvd - Published: 2022-04-12 12:15 - Updated: 2024-11-21 06:37
Severity ?
Summary
The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vfbpro | visual_form_builder | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vfbpro:visual_form_builder:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "2525917B-7FE5-465E-9AF3-0C716783530B",
"versionEndExcluding": "3.0.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution."
},
{
"lang": "es",
"value": "El plugin Visual Form Builder de WordPress anterior a la versi\u00f3n 3.0.8 es vulnerable a la inyecci\u00f3n de CSV, lo que permite a un usuario de bajo nivel o sin privilegios inyectar un comando que se incluir\u00e1 en el archivo CSV exportado, dando lugar a una posible ejecuci\u00f3n de c\u00f3digo"
}
],
"id": "CVE-2022-0142",
"lastModified": "2024-11-21T06:37:59.533",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-12T12:15:08.287",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/03210390-2054-40c0-9508-39d168087878"
},
{
"source": "contact@wpscan.com",
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-080"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/03210390-2054-40c0-9508-39d168087878"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-080"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1236"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1236"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-24514
Vulnerability from fkie_nvd - Published: 2021-10-25 14:15 - Updated: 2024-11-21 05:53
Severity ?
Summary
The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/0afa78d3-2403-4e0c-8f16-5b7874b03cd2 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/0afa78d3-2403-4e0c-8f16-5b7874b03cd2 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vfbpro | visual_form_builder | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vfbpro:visual_form_builder:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "157F37CF-499C-4DFD-B8D0-09F79926F2C6",
"versionEndExcluding": "3.0.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed"
},
{
"lang": "es",
"value": "El plugin Visual Form Builder de WordPress versiones anteriores a 3.0.4, no sanea ni escapa de los nombres de los formularios, lo que permite a usuarios con altos privilegios, como los administradores, introducir en ellos cargas \u00fatiles de tipo Cross-Site Scripting, incluso cuando la capacidad unfiltered_html est\u00e1 deshabilitada"
}
],
"id": "CVE-2021-24514",
"lastModified": "2024-11-21T05:53:12.900",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-25T14:15:10.193",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/0afa78d3-2403-4e0c-8f16-5b7874b03cd2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/0afa78d3-2403-4e0c-8f16-5b7874b03cd2"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2022-1046 (GCVE-0-2022-1046)
Vulnerability from cvelistv5 – Published: 2022-05-02 16:05 – Updated: 2024-08-02 23:47
VLAI?
Title
Visual Form Builder < 3.0.7 - Admin+ Stored Cross-Site Scripting
Summary
The Visual Form Builder WordPress plugin before 3.0.7 does not sanitise and escape the form's 'Email to' field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Visual Form Builder |
Affected:
3.0.7 , < 3.0.7
(custom)
|
Credits
Akash Rajendra Patil
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:43.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/a1ae4512-0b5b-4f36-8334-14633bf24758"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Visual Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.7",
"status": "affected",
"version": "3.0.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Akash Rajendra Patil"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.7 does not sanitise and escape the form\u0027s \u0027Email to\u0027 field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-02T16:05:48",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/a1ae4512-0b5b-4f36-8334-14633bf24758"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Visual Form Builder \u003c 3.0.7 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-1046",
"STATE": "PUBLIC",
"TITLE": "Visual Form Builder \u003c 3.0.7 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Visual Form Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.0.7",
"version_value": "3.0.7"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Akash Rajendra Patil"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Visual Form Builder WordPress plugin before 3.0.7 does not sanitise and escape the form\u0027s \u0027Email to\u0027 field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/a1ae4512-0b5b-4f36-8334-14633bf24758",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/a1ae4512-0b5b-4f36-8334-14633bf24758"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-1046",
"datePublished": "2022-05-02T16:05:48",
"dateReserved": "2022-03-22T00:00:00",
"dateUpdated": "2024-08-02T23:47:43.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0142 (GCVE-0-2022-0142)
Vulnerability from cvelistv5 – Published: 2022-04-12 11:15 – Updated: 2024-08-02 23:18
VLAI?
Title
Visual Form Builder < 3.0.6 - CSV Injection
Summary
The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
Severity ?
No CVSS data available.
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Visual Form Builder |
Affected:
3.0.8 , < 3.0.8
(custom)
|
Credits
Vishnupriya Ilango of Fortinet's FortiGuard Labs
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.999Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/03210390-2054-40c0-9508-39d168087878"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-080"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Visual Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.8",
"status": "affected",
"version": "3.0.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vishnupriya Ilango of Fortinet\u0027s FortiGuard Labs"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-13T12:41:27",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/03210390-2054-40c0-9508-39d168087878"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-080"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Visual Form Builder \u003c 3.0.6 - CSV Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0142",
"STATE": "PUBLIC",
"TITLE": "Visual Form Builder \u003c 3.0.6 - CSV Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Visual Form Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.0.8",
"version_value": "3.0.8"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vishnupriya Ilango of Fortinet\u0027s FortiGuard Labs"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/03210390-2054-40c0-9508-39d168087878",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/03210390-2054-40c0-9508-39d168087878"
},
{
"name": "https://www.fortiguard.com/zeroday/FG-VD-21-080",
"refsource": "MISC",
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-080"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0142",
"datePublished": "2022-04-12T11:15:23",
"dateReserved": "2022-01-06T00:00:00",
"dateUpdated": "2024-08-02T23:18:41.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0141 (GCVE-0-2022-0141)
Vulnerability from cvelistv5 – Published: 2022-04-12 11:15 – Updated: 2024-08-02 23:18
VLAI?
Title
Visual Form Builder < 3.0.8 - Entries Deletion/Restoration via CSRF
Summary
The Visual Form Builder WordPress plugin before 3.0.8 does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Visual Form Builder |
Affected:
3.0.8 , < 3.0.8
(custom)
|
Credits
Vishnupriya Ilango of Fortinet's FortiGuard Labs
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.711Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/2adc8390-bb19-4adf-9805-e9c462d14d22"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-081"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Visual Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.8",
"status": "affected",
"version": "3.0.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vishnupriya Ilango of Fortinet\u0027s FortiGuard Labs"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.8 does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-13T12:41:26",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/2adc8390-bb19-4adf-9805-e9c462d14d22"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-081"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Visual Form Builder \u003c 3.0.8 - Entries Deletion/Restoration via CSRF",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0141",
"STATE": "PUBLIC",
"TITLE": "Visual Form Builder \u003c 3.0.8 - Entries Deletion/Restoration via CSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Visual Form Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.0.8",
"version_value": "3.0.8"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vishnupriya Ilango of Fortinet\u0027s FortiGuard Labs"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Visual Form Builder WordPress plugin before 3.0.8 does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/2adc8390-bb19-4adf-9805-e9c462d14d22",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/2adc8390-bb19-4adf-9805-e9c462d14d22"
},
{
"name": "https://www.fortiguard.com/zeroday/FG-VD-21-081",
"refsource": "MISC",
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-081"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0141",
"datePublished": "2022-04-12T11:15:22",
"dateReserved": "2022-01-06T00:00:00",
"dateUpdated": "2024-08-02T23:18:41.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0140 (GCVE-0-2022-0140)
Vulnerability from cvelistv5 – Published: 2022-04-12 11:15 – Updated: 2024-08-02 23:18
VLAI?
Title
Visual Form Builder < 3.0.6 - Unauthenticated Information Disclosure
Summary
The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Visual Form Builder |
Affected:
0 , < 3.0.6
(custom)
|
Credits
Vishnupriya Ilango of Fortinet's FortiGuard Labs
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.793Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-082"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Visual Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vishnupriya Ilango of Fortinet\u0027s FortiGuard Labs"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-24T09:16:04.380Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336"
},
{
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-082"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Visual Form Builder \u003c 3.0.6 - Unauthenticated Information Disclosure",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0140",
"datePublished": "2022-04-12T11:15:20",
"dateReserved": "2022-01-06T00:00:00",
"dateUpdated": "2024-08-02T23:18:41.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24514 (GCVE-0-2021-24514)
Vulnerability from cvelistv5 – Published: 2021-10-25 13:20 – Updated: 2024-08-03 19:35
VLAI?
Title
Visual Form Builder < 3.0.4 - Admin+ Stored Cross-Site Scripting
Summary
The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Visual Form Builder |
Affected:
3.0.4 , < 3.0.4
(custom)
|
Credits
Felipe Restrepo Rodriguez
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:19.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/0afa78d3-2403-4e0c-8f16-5b7874b03cd2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Visual Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.4",
"status": "affected",
"version": "3.0.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Felipe Restrepo Rodriguez"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-25T13:20:39",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/0afa78d3-2403-4e0c-8f16-5b7874b03cd2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Visual Form Builder \u003c 3.0.4 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24514",
"STATE": "PUBLIC",
"TITLE": "Visual Form Builder \u003c 3.0.4 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Visual Form Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.0.4",
"version_value": "3.0.4"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Felipe Restrepo Rodriguez"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/0afa78d3-2403-4e0c-8f16-5b7874b03cd2",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/0afa78d3-2403-4e0c-8f16-5b7874b03cd2"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24514",
"datePublished": "2021-10-25T13:20:39",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:35:19.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1046 (GCVE-0-2022-1046)
Vulnerability from nvd – Published: 2022-05-02 16:05 – Updated: 2024-08-02 23:47
VLAI?
Title
Visual Form Builder < 3.0.7 - Admin+ Stored Cross-Site Scripting
Summary
The Visual Form Builder WordPress plugin before 3.0.7 does not sanitise and escape the form's 'Email to' field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Visual Form Builder |
Affected:
3.0.7 , < 3.0.7
(custom)
|
Credits
Akash Rajendra Patil
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:43.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/a1ae4512-0b5b-4f36-8334-14633bf24758"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Visual Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.7",
"status": "affected",
"version": "3.0.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Akash Rajendra Patil"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.7 does not sanitise and escape the form\u0027s \u0027Email to\u0027 field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-02T16:05:48",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/a1ae4512-0b5b-4f36-8334-14633bf24758"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Visual Form Builder \u003c 3.0.7 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-1046",
"STATE": "PUBLIC",
"TITLE": "Visual Form Builder \u003c 3.0.7 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Visual Form Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.0.7",
"version_value": "3.0.7"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Akash Rajendra Patil"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Visual Form Builder WordPress plugin before 3.0.7 does not sanitise and escape the form\u0027s \u0027Email to\u0027 field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/a1ae4512-0b5b-4f36-8334-14633bf24758",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/a1ae4512-0b5b-4f36-8334-14633bf24758"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-1046",
"datePublished": "2022-05-02T16:05:48",
"dateReserved": "2022-03-22T00:00:00",
"dateUpdated": "2024-08-02T23:47:43.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0142 (GCVE-0-2022-0142)
Vulnerability from nvd – Published: 2022-04-12 11:15 – Updated: 2024-08-02 23:18
VLAI?
Title
Visual Form Builder < 3.0.6 - CSV Injection
Summary
The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
Severity ?
No CVSS data available.
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Visual Form Builder |
Affected:
3.0.8 , < 3.0.8
(custom)
|
Credits
Vishnupriya Ilango of Fortinet's FortiGuard Labs
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.999Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/03210390-2054-40c0-9508-39d168087878"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-080"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Visual Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.8",
"status": "affected",
"version": "3.0.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vishnupriya Ilango of Fortinet\u0027s FortiGuard Labs"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-13T12:41:27",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/03210390-2054-40c0-9508-39d168087878"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-080"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Visual Form Builder \u003c 3.0.6 - CSV Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0142",
"STATE": "PUBLIC",
"TITLE": "Visual Form Builder \u003c 3.0.6 - CSV Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Visual Form Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.0.8",
"version_value": "3.0.8"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vishnupriya Ilango of Fortinet\u0027s FortiGuard Labs"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/03210390-2054-40c0-9508-39d168087878",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/03210390-2054-40c0-9508-39d168087878"
},
{
"name": "https://www.fortiguard.com/zeroday/FG-VD-21-080",
"refsource": "MISC",
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-080"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0142",
"datePublished": "2022-04-12T11:15:23",
"dateReserved": "2022-01-06T00:00:00",
"dateUpdated": "2024-08-02T23:18:41.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0141 (GCVE-0-2022-0141)
Vulnerability from nvd – Published: 2022-04-12 11:15 – Updated: 2024-08-02 23:18
VLAI?
Title
Visual Form Builder < 3.0.8 - Entries Deletion/Restoration via CSRF
Summary
The Visual Form Builder WordPress plugin before 3.0.8 does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Visual Form Builder |
Affected:
3.0.8 , < 3.0.8
(custom)
|
Credits
Vishnupriya Ilango of Fortinet's FortiGuard Labs
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.711Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/2adc8390-bb19-4adf-9805-e9c462d14d22"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-081"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Visual Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.8",
"status": "affected",
"version": "3.0.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vishnupriya Ilango of Fortinet\u0027s FortiGuard Labs"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.8 does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-13T12:41:26",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/2adc8390-bb19-4adf-9805-e9c462d14d22"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-081"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Visual Form Builder \u003c 3.0.8 - Entries Deletion/Restoration via CSRF",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0141",
"STATE": "PUBLIC",
"TITLE": "Visual Form Builder \u003c 3.0.8 - Entries Deletion/Restoration via CSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Visual Form Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.0.8",
"version_value": "3.0.8"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vishnupriya Ilango of Fortinet\u0027s FortiGuard Labs"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Visual Form Builder WordPress plugin before 3.0.8 does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/2adc8390-bb19-4adf-9805-e9c462d14d22",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/2adc8390-bb19-4adf-9805-e9c462d14d22"
},
{
"name": "https://www.fortiguard.com/zeroday/FG-VD-21-081",
"refsource": "MISC",
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-081"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0141",
"datePublished": "2022-04-12T11:15:22",
"dateReserved": "2022-01-06T00:00:00",
"dateUpdated": "2024-08-02T23:18:41.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0140 (GCVE-0-2022-0140)
Vulnerability from nvd – Published: 2022-04-12 11:15 – Updated: 2024-08-02 23:18
VLAI?
Title
Visual Form Builder < 3.0.6 - Unauthenticated Information Disclosure
Summary
The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Visual Form Builder |
Affected:
0 , < 3.0.6
(custom)
|
Credits
Vishnupriya Ilango of Fortinet's FortiGuard Labs
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.793Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-082"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Visual Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vishnupriya Ilango of Fortinet\u0027s FortiGuard Labs"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-24T09:16:04.380Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336"
},
{
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-082"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Visual Form Builder \u003c 3.0.6 - Unauthenticated Information Disclosure",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0140",
"datePublished": "2022-04-12T11:15:20",
"dateReserved": "2022-01-06T00:00:00",
"dateUpdated": "2024-08-02T23:18:41.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24514 (GCVE-0-2021-24514)
Vulnerability from nvd – Published: 2021-10-25 13:20 – Updated: 2024-08-03 19:35
VLAI?
Title
Visual Form Builder < 3.0.4 - Admin+ Stored Cross-Site Scripting
Summary
The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Visual Form Builder |
Affected:
3.0.4 , < 3.0.4
(custom)
|
Credits
Felipe Restrepo Rodriguez
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:19.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/0afa78d3-2403-4e0c-8f16-5b7874b03cd2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Visual Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.4",
"status": "affected",
"version": "3.0.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Felipe Restrepo Rodriguez"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-25T13:20:39",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/0afa78d3-2403-4e0c-8f16-5b7874b03cd2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Visual Form Builder \u003c 3.0.4 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24514",
"STATE": "PUBLIC",
"TITLE": "Visual Form Builder \u003c 3.0.4 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Visual Form Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.0.4",
"version_value": "3.0.4"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Felipe Restrepo Rodriguez"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/0afa78d3-2403-4e0c-8f16-5b7874b03cd2",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/0afa78d3-2403-4e0c-8f16-5b7874b03cd2"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24514",
"datePublished": "2021-10-25T13:20:39",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:35:19.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}