Search criteria
6 vulnerabilities by vfbpro
CVE-2023-47518 (GCVE-0-2023-47518)
Vulnerability from cvelistv5 – Published: 2023-11-14 22:11 – Updated: 2024-08-14 19:17
VLAI?
Title
WordPress Restrict Categories Plugin <= 2.6.4 is vulnerable to Cross Site Scripting (XSS)
Summary
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Matthew Muro Restrict Categories plugin <= 2.6.4 versions.
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Matthew Muro | Restrict Categories |
Affected:
n/a , ≤ 2.6.4
(custom)
|
Credits
Le Ngoc Anh (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:09:37.351Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/restrict-categories/wordpress-restrict-categories-plugin-2-6-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47518",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T18:52:46.966863Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T19:17:26.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "restrict-categories",
"product": "Restrict Categories",
"vendor": "Matthew Muro",
"versions": [
{
"lessThanOrEqual": "2.6.4",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Le Ngoc Anh (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Matthew Muro Restrict Categories plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;2.6.4 versions.\u003c/span\u003e"
}
],
"value": "Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Matthew Muro Restrict Categories plugin \u003c=\u00a02.6.4 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T22:11:10.527Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/restrict-categories/wordpress-restrict-categories-plugin-2-6-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Restrict Categories Plugin \u003c= 2.6.4 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-47518",
"datePublished": "2023-11-14T22:11:10.527Z",
"dateReserved": "2023-11-06T08:35:52.297Z",
"dateUpdated": "2024-08-14T19:17:26.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1046 (GCVE-0-2022-1046)
Vulnerability from cvelistv5 – Published: 2022-05-02 16:05 – Updated: 2024-08-02 23:47
VLAI?
Title
Visual Form Builder < 3.0.7 - Admin+ Stored Cross-Site Scripting
Summary
The Visual Form Builder WordPress plugin before 3.0.7 does not sanitise and escape the form's 'Email to' field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Visual Form Builder |
Affected:
3.0.7 , < 3.0.7
(custom)
|
Credits
Akash Rajendra Patil
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:43.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/a1ae4512-0b5b-4f36-8334-14633bf24758"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Visual Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.7",
"status": "affected",
"version": "3.0.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Akash Rajendra Patil"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.7 does not sanitise and escape the form\u0027s \u0027Email to\u0027 field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-02T16:05:48",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/a1ae4512-0b5b-4f36-8334-14633bf24758"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Visual Form Builder \u003c 3.0.7 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-1046",
"STATE": "PUBLIC",
"TITLE": "Visual Form Builder \u003c 3.0.7 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Visual Form Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.0.7",
"version_value": "3.0.7"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Akash Rajendra Patil"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Visual Form Builder WordPress plugin before 3.0.7 does not sanitise and escape the form\u0027s \u0027Email to\u0027 field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/a1ae4512-0b5b-4f36-8334-14633bf24758",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/a1ae4512-0b5b-4f36-8334-14633bf24758"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-1046",
"datePublished": "2022-05-02T16:05:48",
"dateReserved": "2022-03-22T00:00:00",
"dateUpdated": "2024-08-02T23:47:43.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0142 (GCVE-0-2022-0142)
Vulnerability from cvelistv5 – Published: 2022-04-12 11:15 – Updated: 2024-08-02 23:18
VLAI?
Title
Visual Form Builder < 3.0.6 - CSV Injection
Summary
The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
Severity ?
No CVSS data available.
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Visual Form Builder |
Affected:
3.0.8 , < 3.0.8
(custom)
|
Credits
Vishnupriya Ilango of Fortinet's FortiGuard Labs
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.999Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/03210390-2054-40c0-9508-39d168087878"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-080"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Visual Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.8",
"status": "affected",
"version": "3.0.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vishnupriya Ilango of Fortinet\u0027s FortiGuard Labs"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-13T12:41:27",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/03210390-2054-40c0-9508-39d168087878"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-080"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Visual Form Builder \u003c 3.0.6 - CSV Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0142",
"STATE": "PUBLIC",
"TITLE": "Visual Form Builder \u003c 3.0.6 - CSV Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Visual Form Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.0.8",
"version_value": "3.0.8"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vishnupriya Ilango of Fortinet\u0027s FortiGuard Labs"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/03210390-2054-40c0-9508-39d168087878",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/03210390-2054-40c0-9508-39d168087878"
},
{
"name": "https://www.fortiguard.com/zeroday/FG-VD-21-080",
"refsource": "MISC",
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-080"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0142",
"datePublished": "2022-04-12T11:15:23",
"dateReserved": "2022-01-06T00:00:00",
"dateUpdated": "2024-08-02T23:18:41.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0141 (GCVE-0-2022-0141)
Vulnerability from cvelistv5 – Published: 2022-04-12 11:15 – Updated: 2024-08-02 23:18
VLAI?
Title
Visual Form Builder < 3.0.8 - Entries Deletion/Restoration via CSRF
Summary
The Visual Form Builder WordPress plugin before 3.0.8 does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Visual Form Builder |
Affected:
3.0.8 , < 3.0.8
(custom)
|
Credits
Vishnupriya Ilango of Fortinet's FortiGuard Labs
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.711Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/2adc8390-bb19-4adf-9805-e9c462d14d22"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-081"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Visual Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.8",
"status": "affected",
"version": "3.0.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vishnupriya Ilango of Fortinet\u0027s FortiGuard Labs"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.8 does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-13T12:41:26",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/2adc8390-bb19-4adf-9805-e9c462d14d22"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-081"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Visual Form Builder \u003c 3.0.8 - Entries Deletion/Restoration via CSRF",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0141",
"STATE": "PUBLIC",
"TITLE": "Visual Form Builder \u003c 3.0.8 - Entries Deletion/Restoration via CSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Visual Form Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.0.8",
"version_value": "3.0.8"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vishnupriya Ilango of Fortinet\u0027s FortiGuard Labs"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Visual Form Builder WordPress plugin before 3.0.8 does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/2adc8390-bb19-4adf-9805-e9c462d14d22",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/2adc8390-bb19-4adf-9805-e9c462d14d22"
},
{
"name": "https://www.fortiguard.com/zeroday/FG-VD-21-081",
"refsource": "MISC",
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-081"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0141",
"datePublished": "2022-04-12T11:15:22",
"dateReserved": "2022-01-06T00:00:00",
"dateUpdated": "2024-08-02T23:18:41.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0140 (GCVE-0-2022-0140)
Vulnerability from cvelistv5 – Published: 2022-04-12 11:15 – Updated: 2024-08-02 23:18
VLAI?
Title
Visual Form Builder < 3.0.6 - Unauthenticated Information Disclosure
Summary
The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Visual Form Builder |
Affected:
0 , < 3.0.6
(custom)
|
Credits
Vishnupriya Ilango of Fortinet's FortiGuard Labs
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.793Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-082"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Visual Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vishnupriya Ilango of Fortinet\u0027s FortiGuard Labs"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-24T09:16:04.380Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336"
},
{
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-082"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Visual Form Builder \u003c 3.0.6 - Unauthenticated Information Disclosure",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0140",
"datePublished": "2022-04-12T11:15:20",
"dateReserved": "2022-01-06T00:00:00",
"dateUpdated": "2024-08-02T23:18:41.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24514 (GCVE-0-2021-24514)
Vulnerability from cvelistv5 – Published: 2021-10-25 13:20 – Updated: 2024-08-03 19:35
VLAI?
Title
Visual Form Builder < 3.0.4 - Admin+ Stored Cross-Site Scripting
Summary
The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Visual Form Builder |
Affected:
3.0.4 , < 3.0.4
(custom)
|
Credits
Felipe Restrepo Rodriguez
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:19.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/0afa78d3-2403-4e0c-8f16-5b7874b03cd2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Visual Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.0.4",
"status": "affected",
"version": "3.0.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Felipe Restrepo Rodriguez"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-25T13:20:39",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/0afa78d3-2403-4e0c-8f16-5b7874b03cd2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Visual Form Builder \u003c 3.0.4 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24514",
"STATE": "PUBLIC",
"TITLE": "Visual Form Builder \u003c 3.0.4 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Visual Form Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.0.4",
"version_value": "3.0.4"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Felipe Restrepo Rodriguez"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/0afa78d3-2403-4e0c-8f16-5b7874b03cd2",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/0afa78d3-2403-4e0c-8f16-5b7874b03cd2"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24514",
"datePublished": "2021-10-25T13:20:39",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:35:19.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}