CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35747 – WordPress Contact Form Builder, Contact Widget plugin <= 2.1.7 - Bypass Vulnerability vulnerability
https://notcve.org/view.php?id=CVE-2024-35747
Improper Restriction of Excessive Authentication Attempts vulnerability in wpdevart Contact Form Builder, Contact Widget allows Functionality Bypass.This issue affects Contact Form Builder, Contact Widget: from n/a through 2.1.7. Vulnerabilidad de restricción inadecuada de intentos de autenticación excesivos en wpdevart Contact Form Builder, Contact Widget permite omitir la funcionalidad. Este problema afecta a Contact Form Builder, Contact Widget: desde n/a hasta 2.1.7. The Contact Form Builder, Contact Widget plugin for WordPress is vulnerable to protection bypass in all versions up to, and including, 2.1.7. This is due to the plugin not properly restricting authentication attempts. • https://patchstack.com/database/vulnerability/contact-forms-builder/wordpress-contact-form-builder-contact-widget-plugin-2-1-7-bypass-vulnerability-vulnerability?_s_id=cve • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1640 – Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form <= 2.10.1 - Unauthenticated Insecure Direct Object Reference to Form Submission Alteration
https://notcve.org/view.php?id=CVE-2024-1640
The Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient user validation on the bitforms_update_form_entry AJAX action in all versions up to, and including, 2.10.1. This makes it possible for unauthenticated attackers to modify form submissions. El complemento Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una validación insuficiente del usuario en la acción AJAX bitforms_update_form_entry en todas las versiones hasta e incluyendo, 2.10.1. Esto hace posible que atacantes no autenticados modifiquen los envíos de formularios. • https://plugins.trac.wordpress.org/changeset/3048523/bit-form/trunk/includes/Frontend/Ajax/FrontendAjax.php https://www.wordfence.com/threat-intel/vulnerabilities/id/49ed7d6a-4a65-4efc-90e5-ffa5470d4011?source=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46075 – WordPress Contact Form Builder, Contact Widget Plugin <= 2.1.6 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-46075
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in wpdevart Contact Form Builder, Contact Widget plugin <= 2.1.6 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada no autenticada en el complemento wpdevart Contact Form Builder, Contact Widget en versiones <= 2.1.6. The Contact Form Builder, Contact Widget plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/contact-forms-builder/wordpress-contact-form-builder-contact-widget-plugin-2-1-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3645 – Contact Form Builder by Bit Form < 2.2.0 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-3645
The Contact Form Builder by Bit Form WordPress plugin before 2.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) The Contact Form Builder by Bit Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/58c11f1e-6ea0-468c-b974-4aea9eb94b82 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •