CVSS: 4.4EPSS: %CPEs: 1EXPL: 0CVE-2024-8542 – Everest Forms <= 3.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-8542
The Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51695 – WordPress Everest Forms Plugin <= 2.0.4.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-51695
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPEverest Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! allows Stored XSS.This issue affects Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!: from n/a through 2.0.4.1. La vulnerabilidad de neutralización incorrecta de la entrada durante de generación de páginas web ('Cross-site Scripting') en WPEverest Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! permite XSS almacenado. • https://patchstack.com/database/vulnerability/everest-forms/wordpress-everest-forms-plugin-2-0-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51377 – WordPress Everest Forms plugin <= 2.0.3 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-51377
Missing Authorization vulnerability in WPEverest Everest Forms.This issue affects Everest Forms: from n/a through 2.0.3. Vulnerabilidad de autorización faltante en WPEverest Everest Forms. Este problema afecta a Everest Forms: desde n/a hasta 2.0.3. The Everest Forms plugin for WordPress is vulnerable to unauthorized form submission due to a missing validation check in the do_task function in versions up to, and including, 2.0.3. This makes it possible for unauthenticated attackers to submit disabled forms. • https://patchstack.com/database/vulnerability/everest-forms/wordpress-everest-forms-plugin-2-0-3-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24907 – Everest Forms < 1.8.0 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24907
The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue El plugin Contact Form, Drag and Drop Form Builder para WordPress versiones anteriores a 1.8.0, no escapa del parámetro status antes de devolverlo en un atributo, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/56dae1ae-d5d2-45d3-8991-db69cc47ddb7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13575 – Contact Form, Drag and Drop Form Builder for WordPress – Everest Forms <= 1.4.9 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-13575
A SQL injection vulnerability exists in WPEverest Everest Forms plugin for WordPress through 1.4.9. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via includes/evf-entry-functions.php Existe una vulnerabilidad de inyección de SQL en el plugin WPEverest Everest Forms para WordPress hasta 1.4.9. La explotación con éxito de esta vulnerabilidad permitiría a un atacante remoto ejecutar comandos SQL arbitrarios en el sistema afectado a través de includes / evf-entry-functions.php • https://fortiguard.com/zeroday/FG-VD-19-096 https://github.com/wpeverest/everest-forms/commit/755d095fe0d9a756a13800d1513cf98219e4a3f9 https://github.com/wpeverest/everest-forms/commit/755d095fe0d9a756a13800d1513cf98219e4a3f9#diff-bb2b21ef7774df8687ff02b0284505c6 https://wordpress.org/plugins/everest-forms/#developers https://wpvulndb.com/vulnerabilities/9466 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •