Search criteria
18 vulnerabilities found for weforms by weformspro
FKIE_CVE-2023-51524
Vulnerability from fkie_nvd - Published: 2024-06-12 10:15 - Updated: 2024-11-21 08:38
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Missing Authorization vulnerability in weForms.This issue affects weForms: from n/a through 1.6.18.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| weformspro | weforms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:weformspro:weforms:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "36E5E1A1-0B5A-44C1-93CA-350C9C00A86A",
"versionEndExcluding": "1.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in weForms.This issue affects weForms: from n/a through 1.6.18."
},
{
"lang": "es",
"value": "Vulnerabilidad de autorizaci\u00f3n faltante en weForms. Este problema afecta a weForms: desde n/a hasta 1.6.18."
}
],
"id": "CVE-2023-51524",
"lastModified": "2024-11-21T08:38:18.383",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-06-12T10:15:28.670",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-18-broken-access-control-vulnerability?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-18-broken-access-control-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "audit@patchstack.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-30512
Vulnerability from fkie_nvd - Published: 2024-06-09 11:15 - Updated: 2024-11-21 09:12
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Missing Authorization vulnerability in weForms.This issue affects weForms: from n/a through 1.6.20.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| weformspro | weforms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:weformspro:weforms:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "162B091C-598D-4554-9262-AD91671AA23B",
"versionEndExcluding": "1.6.21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in weForms.This issue affects weForms: from n/a through 1.6.20."
},
{
"lang": "es",
"value": "Vulnerabilidad de autorizaci\u00f3n faltante en weForms. Este problema afecta a weForms: desde n/a hasta 1.6.20."
}
],
"id": "CVE-2024-30512",
"lastModified": "2024-11-21T09:12:04.617",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-06-09T11:15:51.780",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-20-broken-access-control-vulnerability?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-20-broken-access-control-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "audit@patchstack.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-0386
Vulnerability from fkie_nvd - Published: 2024-03-12 22:15 - Updated: 2025-01-15 16:38
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Referer' HTTP header in all versions up to, and including, 1.6.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| weformspro | weforms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:weformspro:weforms:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C8AC1EAB-22D5-412B-A011-13162A23B1BF",
"versionEndExcluding": "1.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027Referer\u0027 HTTP header in all versions up to, and including, 1.6.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
},
{
"lang": "es",
"value": "El complemento weForms para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del encabezado HTTP \u0027Referer\u0027 en todas las versiones hasta la 1.6.21 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."
}
],
"id": "CVE-2024-0386",
"lastModified": "2025-01-15T16:38:37.440",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.7,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-12T22:15:07.250",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch",
"Product"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3047406%40weforms\u0026new=3047406%40weforms\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f436ab65-a59c-4b2a-abc8-a7fc038678dd?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Product"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3047406%40weforms\u0026new=3047406%40weforms\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f436ab65-a59c-4b2a-abc8-a7fc038678dd?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-50896
Vulnerability from fkie_nvd - Published: 2023-12-29 11:15 - Updated: 2024-11-21 08:37
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weForms weForms – Easy Drag & Drop Contact Form Builder For WordPress allows Stored XSS.This issue affects weForms – Easy Drag & Drop Contact Form Builder For WordPress: from n/a through 1.6.17.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| weformspro | weforms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:weformspro:weforms:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "3684BF2E-A924-413A-8C0D-C048339D7C95",
"versionEndIncluding": "1.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in weForms weForms \u2013 Easy Drag \u0026 Drop Contact Form Builder For WordPress allows Stored XSS.This issue affects weForms \u2013 Easy Drag \u0026 Drop Contact Form Builder For WordPress: from n/a through 1.6.17.\n\n"
},
{
"lang": "es",
"value": "La vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web (\u0027Cross-site Scripting\u0027) en weForms weForms \u2013 Easy Drag \u0026amp; Drop Contact Form Builder for WordPress permite XSS almacenado. Este problema afecta a weForms \u2013 Easy Drag \u0026amp; Drop Contact Form Builder For WordPress: de n/a hasta el 1.6.17."
}
],
"id": "CVE-2023-50896",
"lastModified": "2024-11-21T08:37:29.930",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 3.7,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-29T11:15:08.363",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-17-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-17-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "audit@patchstack.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-2395
Vulnerability from fkie_nvd - Published: 2022-08-08 14:15 - Updated: 2024-11-21 07:00
Severity ?
Summary
The weForms WordPress plugin before 1.6.14 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/5e442dd9-a49d-4a8e-959b-199a8689da4b | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/5e442dd9-a49d-4a8e-959b-199a8689da4b | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| weformspro | weforms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:weformspro:weforms:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "CA56360D-2771-4558-BD0A-EEE5C88076B6",
"versionEndExcluding": "1.6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The weForms WordPress plugin before 1.6.14 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
},
{
"lang": "es",
"value": "El plugin weForms de WordPress versiones anteriores a 1.6.14, no sanea ni escapa de su configuraci\u00f3n, lo que permite a usuarios con altos privilegios, como los administradores, llevar a cabo ataques de Cross-Site Scripting incluso cuando la capacidad unfiltered_html no est\u00e1 permitida"
}
],
"id": "CVE-2022-2395",
"lastModified": "2024-11-21T07:00:54.383",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-08T14:15:09.657",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/5e442dd9-a49d-4a8e-959b-199a8689da4b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/5e442dd9-a49d-4a8e-959b-199a8689da4b"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2020-22276
Vulnerability from fkie_nvd - Published: 2020-11-04 17:15 - Updated: 2024-11-21 05:13
Severity ?
Summary
WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form's entry.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://uploadboy.com/tvvs4p2gf03m/887/mp4 | Third Party Advisory | |
| cve@mitre.org | https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22276.pdf | Exploit, Third Party Advisory | |
| cve@mitre.org | https://filebin.net/khncr59vyfztn6wj | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://uploadboy.com/tvvs4p2gf03m/887/mp4 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22276.pdf | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://filebin.net/khncr59vyfztn6wj | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| weformspro | weforms | 1.4.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:weformspro:weforms:1.4.7:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "53B77745-F36C-48E3-9F3C-DFD572C40A12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form\u0027s entry."
},
{
"lang": "es",
"value": "WeForms Wordpress Plugin versi\u00f3n 1.4.7, permite una inyecci\u00f3n CSV por medio de una entrada de un formulario"
}
],
"id": "CVE-2020-22276",
"lastModified": "2024-11-21T05:13:13.667",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-04T17:15:12.990",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://uploadboy.com/tvvs4p2gf03m/887/mp4"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22276.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://filebin.net/khncr59vyfztn6wj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://uploadboy.com/tvvs4p2gf03m/887/mp4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22276.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://filebin.net/khncr59vyfztn6wj"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1236"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-51524 (GCVE-0-2023-51524)
Vulnerability from cvelistv5 – Published: 2024-06-12 09:09 – Updated: 2024-08-02 22:40
VLAI?
Title
WordPress weForms plugin <= 1.6.18 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in weForms.This issue affects weForms: from n/a through 1.6.18.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
emad (Patchstack Alliance)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:weformspro:weforms:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "weforms",
"vendor": "weformspro",
"versions": [
{
"lessThanOrEqual": "1.6.18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51524",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-12T12:47:06.079217Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T12:48:19.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:32.381Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-18-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "weforms",
"product": "weForms",
"vendor": "weForms",
"versions": [
{
"changes": [
{
"at": "1.6.19",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.6.18",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "emad (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in weForms.\u003cp\u003eThis issue affects weForms: from n/a through 1.6.18.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in weForms.This issue affects weForms: from n/a through 1.6.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T09:09:59.874Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-18-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.6.19 or a higher version."
}
],
"value": "Update to 1.6.19 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress weForms plugin \u003c= 1.6.18 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-51524",
"datePublished": "2024-06-12T09:09:59.874Z",
"dateReserved": "2023-12-20T17:28:07.137Z",
"dateUpdated": "2024-08-02T22:40:32.381Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30512 (GCVE-0-2024-30512)
Vulnerability from cvelistv5 – Published: 2024-06-09 10:59 – Updated: 2024-08-02 01:38
VLAI?
Title
WordPress weForms plugin <= 1.6.20 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in weForms.This issue affects weForms: from n/a through 1.6.20.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
Kyle Sanchez (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30512",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T11:02:07.901750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T11:02:15.558Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:38:59.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-20-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "weforms",
"product": "weForms",
"vendor": "weForms",
"versions": [
{
"changes": [
{
"at": "1.6.21",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.6.20",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Kyle Sanchez (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in weForms.\u003cp\u003eThis issue affects weForms: from n/a through 1.6.20.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in weForms.This issue affects weForms: from n/a through 1.6.20."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-09T10:59:42.461Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-20-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.6.21 or a higher version."
}
],
"value": "Update to 1.6.21 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress weForms plugin \u003c= 1.6.20 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-30512",
"datePublished": "2024-06-09T10:59:42.461Z",
"dateReserved": "2024-03-27T12:26:51.740Z",
"dateUpdated": "2024-08-02T01:38:59.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0386 (GCVE-0-2024-0386)
Vulnerability from cvelistv5 – Published: 2024-03-12 21:34 – Updated: 2024-08-01 18:04
VLAI?
Summary
The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Referer' HTTP header in all versions up to, and including, 1.6.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
7.2 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| boldgrid | weForms – Easy Drag & Drop Contact Form Builder For WordPress |
Affected:
* , ≤ 1.6.21
(semver)
|
Credits
Pedro Paniago
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T13:08:22.365841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:58:30.095Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.553Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f436ab65-a59c-4b2a-abc8-a7fc038678dd?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3047406%40weforms\u0026new=3047406%40weforms\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "weForms \u2013 Easy Drag \u0026 Drop Contact Form Builder For WordPress",
"vendor": "boldgrid",
"versions": [
{
"lessThanOrEqual": "1.6.21",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pedro Paniago"
}
],
"descriptions": [
{
"lang": "en",
"value": "The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027Referer\u0027 HTTP header in all versions up to, and including, 1.6.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T21:34:34.174Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f436ab65-a59c-4b2a-abc8-a7fc038678dd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3047406%40weforms\u0026new=3047406%40weforms\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-12T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0386",
"datePublished": "2024-03-12T21:34:34.174Z",
"dateReserved": "2024-01-09T23:51:33.487Z",
"dateUpdated": "2024-08-01T18:04:49.553Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50896 (GCVE-0-2023-50896)
Vulnerability from cvelistv5 – Published: 2023-12-29 11:09 – Updated: 2024-08-02 22:23
VLAI?
Title
WordPress weForms Plugin <= 1.6.17 is vulnerable to Cross Site Scripting (XSS)
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weForms weForms – Easy Drag & Drop Contact Form Builder For WordPress allows Stored XSS.This issue affects weForms – Easy Drag & Drop Contact Form Builder For WordPress: from n/a through 1.6.17.
Severity ?
5.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| weForms | weForms – Easy Drag & Drop Contact Form Builder For WordPress |
Affected:
n/a , ≤ 1.6.17
(custom)
|
Credits
emad (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:23:43.895Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-17-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "weforms",
"product": "weForms \u2013 Easy Drag \u0026 Drop Contact Form Builder For WordPress",
"vendor": "weForms",
"versions": [
{
"changes": [
{
"at": "1.6.18",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.6.17",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "emad (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in weForms weForms \u2013 Easy Drag \u0026amp; Drop Contact Form Builder For WordPress allows Stored XSS.\u003cp\u003eThis issue affects weForms \u2013 Easy Drag \u0026amp; Drop Contact Form Builder For WordPress: from n/a through 1.6.17.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in weForms weForms \u2013 Easy Drag \u0026 Drop Contact Form Builder For WordPress allows Stored XSS.This issue affects weForms \u2013 Easy Drag \u0026 Drop Contact Form Builder For WordPress: from n/a through 1.6.17.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-29T11:09:16.175Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-17-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;1.6.18 or a higher version."
}
],
"value": "Update to\u00a01.6.18 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress weForms Plugin \u003c= 1.6.17 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-50896",
"datePublished": "2023-12-29T11:09:16.175Z",
"dateReserved": "2023-12-15T15:45:32.564Z",
"dateUpdated": "2024-08-02T22:23:43.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2395 (GCVE-0-2022-2395)
Vulnerability from cvelistv5 – Published: 2022-08-08 13:48 – Updated: 2024-08-03 00:39
VLAI?
Title
weForms < 1.6.14 - Admin+ Stored Cross-Site Scripting
Summary
The weForms WordPress plugin before 1.6.14 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | weForms – Easy Drag & Drop Contact Form Builder For WordPress |
Affected:
1.6.14 , < 1.6.14
(custom)
|
Credits
Tri Wanda Septian
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:06.395Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/5e442dd9-a49d-4a8e-959b-199a8689da4b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "weForms \u2013 Easy Drag \u0026 Drop Contact Form Builder For WordPress",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.6.14",
"status": "affected",
"version": "1.6.14",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tri Wanda Septian"
}
],
"descriptions": [
{
"lang": "en",
"value": "The weForms WordPress plugin before 1.6.14 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-08T13:48:42",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/5e442dd9-a49d-4a8e-959b-199a8689da4b"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "weForms \u003c 1.6.14 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-2395",
"STATE": "PUBLIC",
"TITLE": "weForms \u003c 1.6.14 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "weForms \u2013 Easy Drag \u0026 Drop Contact Form Builder For WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.6.14",
"version_value": "1.6.14"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Tri Wanda Septian"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The weForms WordPress plugin before 1.6.14 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/5e442dd9-a49d-4a8e-959b-199a8689da4b",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/5e442dd9-a49d-4a8e-959b-199a8689da4b"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2395",
"datePublished": "2022-08-08T13:48:42",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-08-03T00:39:06.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-22276 (GCVE-0-2020-22276)
Vulnerability from cvelistv5 – Published: 2020-11-04 16:54 – Updated: 2024-08-04 14:51
VLAI?
Summary
WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form's entry.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:51:10.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://filebin.net/khncr59vyfztn6wj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://uploadboy.com/tvvs4p2gf03m/887/mp4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22276.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form\u0027s entry."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-04T16:54:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://filebin.net/khncr59vyfztn6wj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://uploadboy.com/tvvs4p2gf03m/887/mp4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22276.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-22276",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form\u0027s entry."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://filebin.net/khncr59vyfztn6wj",
"refsource": "MISC",
"url": "https://filebin.net/khncr59vyfztn6wj"
},
{
"name": "http://uploadboy.com/tvvs4p2gf03m/887/mp4",
"refsource": "MISC",
"url": "http://uploadboy.com/tvvs4p2gf03m/887/mp4"
},
{
"name": "https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22276.pdf",
"refsource": "MISC",
"url": "https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22276.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-22276",
"datePublished": "2020-11-04T16:54:50",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:51:10.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51524 (GCVE-0-2023-51524)
Vulnerability from nvd – Published: 2024-06-12 09:09 – Updated: 2024-08-02 22:40
VLAI?
Title
WordPress weForms plugin <= 1.6.18 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in weForms.This issue affects weForms: from n/a through 1.6.18.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
emad (Patchstack Alliance)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:weformspro:weforms:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "weforms",
"vendor": "weformspro",
"versions": [
{
"lessThanOrEqual": "1.6.18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51524",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-12T12:47:06.079217Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T12:48:19.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:32.381Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-18-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "weforms",
"product": "weForms",
"vendor": "weForms",
"versions": [
{
"changes": [
{
"at": "1.6.19",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.6.18",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "emad (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in weForms.\u003cp\u003eThis issue affects weForms: from n/a through 1.6.18.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in weForms.This issue affects weForms: from n/a through 1.6.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T09:09:59.874Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-18-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.6.19 or a higher version."
}
],
"value": "Update to 1.6.19 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress weForms plugin \u003c= 1.6.18 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-51524",
"datePublished": "2024-06-12T09:09:59.874Z",
"dateReserved": "2023-12-20T17:28:07.137Z",
"dateUpdated": "2024-08-02T22:40:32.381Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30512 (GCVE-0-2024-30512)
Vulnerability from nvd – Published: 2024-06-09 10:59 – Updated: 2024-08-02 01:38
VLAI?
Title
WordPress weForms plugin <= 1.6.20 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in weForms.This issue affects weForms: from n/a through 1.6.20.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
Kyle Sanchez (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30512",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T11:02:07.901750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T11:02:15.558Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:38:59.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-20-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "weforms",
"product": "weForms",
"vendor": "weForms",
"versions": [
{
"changes": [
{
"at": "1.6.21",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.6.20",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Kyle Sanchez (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in weForms.\u003cp\u003eThis issue affects weForms: from n/a through 1.6.20.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in weForms.This issue affects weForms: from n/a through 1.6.20."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-09T10:59:42.461Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-20-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.6.21 or a higher version."
}
],
"value": "Update to 1.6.21 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress weForms plugin \u003c= 1.6.20 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-30512",
"datePublished": "2024-06-09T10:59:42.461Z",
"dateReserved": "2024-03-27T12:26:51.740Z",
"dateUpdated": "2024-08-02T01:38:59.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0386 (GCVE-0-2024-0386)
Vulnerability from nvd – Published: 2024-03-12 21:34 – Updated: 2024-08-01 18:04
VLAI?
Summary
The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Referer' HTTP header in all versions up to, and including, 1.6.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
7.2 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| boldgrid | weForms – Easy Drag & Drop Contact Form Builder For WordPress |
Affected:
* , ≤ 1.6.21
(semver)
|
Credits
Pedro Paniago
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T13:08:22.365841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:58:30.095Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.553Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f436ab65-a59c-4b2a-abc8-a7fc038678dd?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3047406%40weforms\u0026new=3047406%40weforms\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "weForms \u2013 Easy Drag \u0026 Drop Contact Form Builder For WordPress",
"vendor": "boldgrid",
"versions": [
{
"lessThanOrEqual": "1.6.21",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pedro Paniago"
}
],
"descriptions": [
{
"lang": "en",
"value": "The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027Referer\u0027 HTTP header in all versions up to, and including, 1.6.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T21:34:34.174Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f436ab65-a59c-4b2a-abc8-a7fc038678dd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3047406%40weforms\u0026new=3047406%40weforms\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-12T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0386",
"datePublished": "2024-03-12T21:34:34.174Z",
"dateReserved": "2024-01-09T23:51:33.487Z",
"dateUpdated": "2024-08-01T18:04:49.553Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50896 (GCVE-0-2023-50896)
Vulnerability from nvd – Published: 2023-12-29 11:09 – Updated: 2024-08-02 22:23
VLAI?
Title
WordPress weForms Plugin <= 1.6.17 is vulnerable to Cross Site Scripting (XSS)
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weForms weForms – Easy Drag & Drop Contact Form Builder For WordPress allows Stored XSS.This issue affects weForms – Easy Drag & Drop Contact Form Builder For WordPress: from n/a through 1.6.17.
Severity ?
5.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| weForms | weForms – Easy Drag & Drop Contact Form Builder For WordPress |
Affected:
n/a , ≤ 1.6.17
(custom)
|
Credits
emad (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:23:43.895Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-17-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "weforms",
"product": "weForms \u2013 Easy Drag \u0026 Drop Contact Form Builder For WordPress",
"vendor": "weForms",
"versions": [
{
"changes": [
{
"at": "1.6.18",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.6.17",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "emad (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in weForms weForms \u2013 Easy Drag \u0026amp; Drop Contact Form Builder For WordPress allows Stored XSS.\u003cp\u003eThis issue affects weForms \u2013 Easy Drag \u0026amp; Drop Contact Form Builder For WordPress: from n/a through 1.6.17.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in weForms weForms \u2013 Easy Drag \u0026 Drop Contact Form Builder For WordPress allows Stored XSS.This issue affects weForms \u2013 Easy Drag \u0026 Drop Contact Form Builder For WordPress: from n/a through 1.6.17.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-29T11:09:16.175Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/weforms/wordpress-weforms-plugin-1-6-17-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;1.6.18 or a higher version."
}
],
"value": "Update to\u00a01.6.18 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress weForms Plugin \u003c= 1.6.17 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-50896",
"datePublished": "2023-12-29T11:09:16.175Z",
"dateReserved": "2023-12-15T15:45:32.564Z",
"dateUpdated": "2024-08-02T22:23:43.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2395 (GCVE-0-2022-2395)
Vulnerability from nvd – Published: 2022-08-08 13:48 – Updated: 2024-08-03 00:39
VLAI?
Title
weForms < 1.6.14 - Admin+ Stored Cross-Site Scripting
Summary
The weForms WordPress plugin before 1.6.14 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | weForms – Easy Drag & Drop Contact Form Builder For WordPress |
Affected:
1.6.14 , < 1.6.14
(custom)
|
Credits
Tri Wanda Septian
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:06.395Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/5e442dd9-a49d-4a8e-959b-199a8689da4b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "weForms \u2013 Easy Drag \u0026 Drop Contact Form Builder For WordPress",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.6.14",
"status": "affected",
"version": "1.6.14",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tri Wanda Septian"
}
],
"descriptions": [
{
"lang": "en",
"value": "The weForms WordPress plugin before 1.6.14 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-08T13:48:42",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/5e442dd9-a49d-4a8e-959b-199a8689da4b"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "weForms \u003c 1.6.14 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-2395",
"STATE": "PUBLIC",
"TITLE": "weForms \u003c 1.6.14 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "weForms \u2013 Easy Drag \u0026 Drop Contact Form Builder For WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.6.14",
"version_value": "1.6.14"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Tri Wanda Septian"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The weForms WordPress plugin before 1.6.14 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/5e442dd9-a49d-4a8e-959b-199a8689da4b",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/5e442dd9-a49d-4a8e-959b-199a8689da4b"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2395",
"datePublished": "2022-08-08T13:48:42",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-08-03T00:39:06.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-22276 (GCVE-0-2020-22276)
Vulnerability from nvd – Published: 2020-11-04 16:54 – Updated: 2024-08-04 14:51
VLAI?
Summary
WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form's entry.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:51:10.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://filebin.net/khncr59vyfztn6wj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://uploadboy.com/tvvs4p2gf03m/887/mp4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22276.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form\u0027s entry."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-04T16:54:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://filebin.net/khncr59vyfztn6wj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://uploadboy.com/tvvs4p2gf03m/887/mp4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22276.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-22276",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form\u0027s entry."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://filebin.net/khncr59vyfztn6wj",
"refsource": "MISC",
"url": "https://filebin.net/khncr59vyfztn6wj"
},
{
"name": "http://uploadboy.com/tvvs4p2gf03m/887/mp4",
"refsource": "MISC",
"url": "http://uploadboy.com/tvvs4p2gf03m/887/mp4"
},
{
"name": "https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22276.pdf",
"refsource": "MISC",
"url": "https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22276.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-22276",
"datePublished": "2020-11-04T16:54:50",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:51:10.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}