Search criteria
5 vulnerabilities by WS Form
CVE-2024-47320 (GCVE-0-2024-47320)
Vulnerability from cvelistv5 – Published: 2024-10-06 11:19 – Updated: 2024-10-07 13:11
VLAI?
Title
WordPress WS Form LITE plugin <= 1.9.238 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WS Form WS Form LITE allows Stored XSS.This issue affects WS Form LITE: from n/a through 1.9.238.
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WS Form | WS Form LITE |
Affected:
n/a , ≤ 1.9.238
(custom)
|
Credits
Savphill (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47320",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T13:10:56.076615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T13:11:10.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "ws-form",
"product": "WS Form LITE",
"vendor": "WS Form",
"versions": [
{
"changes": [
{
"at": "1.9.244",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.9.238",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Savphill (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in WS Form WS Form LITE allows Stored XSS.\u003cp\u003eThis issue affects WS Form LITE: from n/a through 1.9.238.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in WS Form WS Form LITE allows Stored XSS.This issue affects WS Form LITE: from n/a through 1.9.238."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-06T11:19:16.137Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/ws-form/wordpress-ws-form-lite-plugin-1-9-238-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.9.244 or a higher version."
}
],
"value": "Update to 1.9.244 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WS Form LITE plugin \u003c= 1.9.238 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-47320",
"datePublished": "2024-10-06T11:19:16.137Z",
"dateReserved": "2024-09-24T13:00:35.587Z",
"dateUpdated": "2024-10-07T13:11:10.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5424 (GCVE-0-2023-5424)
Vulnerability from cvelistv5 – Published: 2024-06-07 09:33 – Updated: 2024-08-02 07:59
VLAI?
Title
WS Form LITE <= 1.9.217 - Unauthenticated CSV Injection
Summary
The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
Severity ?
4.7 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| westguard | WS Form LITE – Drag & Drop Contact Form Builder for WordPress |
Affected:
* , ≤ 1.9.217
(semver)
|
|||||||
|
|||||||||
Credits
Duc Manh
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5424",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-07T12:19:36.481560Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T12:19:52.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3098265%40ws-form\u0026new=3098265%40ws-form\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"vendor": "westguard",
"versions": [
{
"lessThanOrEqual": "1.9.217",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThanOrEqual": "1.9.217",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Duc Manh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T09:33:35.882Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve"
},
{
"url": "https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3098265%40ws-form\u0026new=3098265%40ws-form\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-05T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-06-06T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "WS Form LITE \u003c= 1.9.217 - Unauthenticated CSV Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-5424",
"datePublished": "2024-06-07T09:33:35.882Z",
"dateReserved": "2023-10-05T12:15:52.704Z",
"dateUpdated": "2024-08-02T07:59:44.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52135 (GCVE-0-2023-52135)
Vulnerability from cvelistv5 – Published: 2023-12-29 10:09 – Updated: 2024-08-02 22:48
VLAI?
Title
WordPress WS Form LITE Plugin <= 1.9.170 is vulnerable to SQL Injection
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WS Form WS Form LITE – Drag & Drop Contact Form Builder for WordPress.This issue affects WS Form LITE – Drag & Drop Contact Form Builder for WordPress: from n/a through 1.9.170.
Severity ?
7.6 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WS Form | WS Form LITE – Drag & Drop Contact Form Builder for WordPress |
Affected:
n/a , ≤ 1.9.170
(custom)
|
Credits
Muhammad Daffa (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:12.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/ws-form/wordpress-ws-form-lite-drag-drop-contact-form-builder-for-wordpress-plugin-1-9-170-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "ws-form",
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"vendor": "WS Form",
"versions": [
{
"changes": [
{
"at": "1.9.171",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.9.170",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Muhammad Daffa (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in WS Form WS Form LITE \u2013 Drag \u0026amp; Drop Contact Form Builder for WordPress.\u003cp\u003eThis issue affects WS Form LITE \u2013 Drag \u0026amp; Drop Contact Form Builder for WordPress: from n/a through 1.9.170.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in WS Form WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress.This issue affects WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress: from n/a through 1.9.170.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-29T10:09:42.451Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/ws-form/wordpress-ws-form-lite-drag-drop-contact-form-builder-for-wordpress-plugin-1-9-170-sql-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;1.9.171 or a higher version."
}
],
"value": "Update to\u00a01.9.171 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WS Form LITE Plugin \u003c= 1.9.170 is vulnerable to SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-52135",
"datePublished": "2023-12-29T10:09:42.451Z",
"dateReserved": "2023-12-28T11:39:21.210Z",
"dateUpdated": "2024-08-02T22:48:12.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23988 (GCVE-0-2022-23988)
Vulnerability from cvelistv5 – Published: 2022-02-28 09:07 – Updated: 2024-08-03 03:59
VLAI?
Title
WS Form < 1.8.176 - Unauthenticated Stored Cross-Site Scripting
Summary
The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| WS Form | WS Form LITE – Drag & Drop Contact Form Builder for WordPress |
Affected:
1.8.176 , < 1.8.176
(custom)
|
|||||||
|
|||||||||
Credits
Felipe Restrepo Rodriguez
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
},
{
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Felipe Restrepo Rodriguez"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-28T09:07:03",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WS Form \u003c 1.8.176 - Unauthenticated Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-23988",
"STATE": "PUBLIC",
"TITLE": "WS Form \u003c 1.8.176 - Unauthenticated Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
},
{
"product_name": "WS Form Pro",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
}
]
},
"vendor_name": "WS Form"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Felipe Restrepo Rodriguez"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-23988",
"datePublished": "2022-02-28T09:07:03",
"dateReserved": "2022-01-26T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23987 (GCVE-0-2022-23987)
Vulnerability from cvelistv5 – Published: 2022-02-28 09:07 – Updated: 2024-08-03 03:59
VLAI?
Title
WS Form < 1.8.176 - Admin+ Stored Cross-Site Scripting
Summary
The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| WS Form | WS Form LITE – Drag & Drop Contact Form Builder for WordPress |
Affected:
1.8.176 , < 1.8.176
(custom)
|
|||||||
|
|||||||||
Credits
Felipe Restrepo Rodriguez
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.262Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
},
{
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Felipe Restrepo Rodriguez"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-28T09:07:01",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WS Form \u003c 1.8.176 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-23987",
"STATE": "PUBLIC",
"TITLE": "WS Form \u003c 1.8.176 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
},
{
"product_name": "WS Form Pro",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
}
]
},
"vendor_name": "WS Form"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Felipe Restrepo Rodriguez"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-23987",
"datePublished": "2022-02-28T09:07:01",
"dateReserved": "2022-01-26T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}