CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52203 – WordPress CformsII Plugin <= 15.0.5 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-52203
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Oliver Seidel, Bastian Germann cformsII allows Stored XSS.This issue affects cformsII: from n/a through 15.0.5. Neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('Cross-site Scripting') en Oliver Seidel, Bastian Germann cformsII permite almacenar XSS. Este problema afecta a cformsII: desde n/a hasta 15.0.5. The cformsII plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 15.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/cforms2/wordpress-cformsii-plugin-15-0-5-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25449 – WordPress CformsII Plugin <=15.0.4 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-25449
Cross-Site Request Forgery (CSRF) vulnerability in Oliver Seidel, Bastian Germann cformsII plugin <= 15.0.4 versions. The cformsII plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 15.0.4. This is due to missing or incorrect nonce validation in the 'cforms-options.php', 'cforms-global-settings.php', 'cforms-corrupted.php' files. This makes it possible for unauthenticated attackers to update global settings and reset form data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/cforms2/wordpress-cformsii-plugin-15-0-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-15238 – CformsII <= 15.0.1 - Unauthenticated HTML Injection & Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2019-15238
The cforms2 plugin before 15.0.2 for WordPress has CSRF related to the IP address field. El plugin cforms2 anterior a 15.0.2 para WordPress tiene CSRF relacionado con el campo de dirección IP. • https://wordpress.org/plugins/cforms2/#developers https://wpvulndb.com/vulnerabilities/9505 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18559 – cformsII <= 14.13.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18559
The cforms2 plugin before 14.13.3 for WordPress has multiple XSS issues. El plugin cforms2 anterior a la versión 14.13.3 para WordPress tiene múltiples problemas XSS. The cformsII plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 14.13.2 due to insufficient input sanitization and output escaping on the 'switchform', 'pickform', and 'noSub' parameters. This makes it possible for attackers to inject arbitrary web scripts that execute in a victim's browser. • https://wordpress.org/plugins/cforms2/#developers https://wpvulndb.com/vulnerabilities/9727 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18570 – cformsII <= 14.12.3 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2017-18570
The cforms2 plugin before 14.13 for WordPress has SQL injection in the tracking DB GUI via Delete Entries or Download Entries. El plugin cforms2 versiones anteriores a 14.13 para WordPress, presenta una inyección SQL en la GUI de la DB de seguimiento por medio de Eliminar entradas o Descargar entradas. The cformsII plugin for WordPress is vulnerable to generic SQL Injection via Delete Entries or Download Entries in versions up to, and including, 14.12.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for highly-privileged attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://wordpress.org/plugins/cforms2/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •