CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1945 – ARForms Form Builder <= 1.6.4 - Missing Authorization to Authenticated(Subscriber+) Arbitrary Option Deletion
https://notcve.org/view.php?id=CVE-2024-1945
25 Apr 2024 — The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'arflite_remove_preview_data' function in all versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber access and above, to delete arbitrary site options, resulting in loss of availability. El complemento Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Fo... • https://plugins.trac.wordpress.org/browser/arforms-form-builder/tags/1.6.3/core/controllers/arfliteformcontroller.php • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32705 – WordPress ARForms plugin <= 6.4 - Subscriber+ Arbitrary Plugin Activation/Deactivation Vulnerability
https://notcve.org/view.php?id=CVE-2024-32705
22 Apr 2024 — Missing Authorization vulnerability in reputeinfosystems ARForms.This issue affects ARForms: from n/a through 6.4. Vulnerabilidad de autorización faltante en reputeinfosystems ARForms. Este problema afecta a ARForms: desde n/a hasta 6.4. The ARforms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on a function in all versions up to, and including, 6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to acti... • https://patchstack.com/database/vulnerability/arforms/wordpress-arforms-plugin-6-4-subscriber-arbitrary-plugin-activation-deactivation-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6828 – ARForms <= 1.5.8 - Unauthenticated Stored Cross-Site Scripting via arf_http_referrer_url
https://notcve.org/view.php?id=CVE-2023-6828
03 Jan 2024 — The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ arf_http_referrer_url’ parameter in all versions up to, and including, 1.5.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Contact Form, Survey & Popup Form Plugin for WordPress – A... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3013347@arforms-form-builder/trunk&old=2998602@arforms-form-builder/trunk&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45838 – WordPress ARForms Form Builder Plugin <= 1.5.5 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-45838
23 Nov 2022 — Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Repute InfoSystems ARForms Form Builder plugin <= 1.5.5 versions. The ARForms Form Builder plugin for WordPress is vulnerable to Cross-Site Scripting via an unspecified parameter in versions up to, and including, 1.5.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Unauth. • https://patchstack.com/database/vulnerability/arforms-form-builder/wordpress-arforms-form-builder-plugin-1-5-3-unauth-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24718 – ARForms Form Builder < 1.5 - Admin+ Stored Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-24718
02 Nov 2021 — The Contact Form, Survey & Popup Form Plugin for WordPress plugin before 1.5 does not properly sanitize some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed El plugin Contact Form, Survey & Popup Form para WordPress versiones anteriores a 1.5, no sanea correctamente algunos de sus ajustes, permitiendo a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad ... • https://wpscan.com/vulnerability/60c9d78f-ae2c-49e0-aca3-6dce1bd8f697 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16902 – ARforms <= 3.7.1 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2019-16902
27 Sep 2019 — In the ARforms plugin 3.7.1 for WordPress, arf_delete_file in arformcontroller.php allows unauthenticated deletion of an arbitrary file by supplying the full pathname. En el plugin Arforms versión 3.7.1 para WordPress, la función arf_delete_file en el archivo arformcontroller.php permite la eliminación no autenticada de un archivo arbitrario mediante el suministro del nombre de ruta completo. • https://www.exploit-db.com/exploits/47443 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15818 – Repute ARForms <= 3.5.1 - Unauthenticated Arbitrary File Deletion via Path Traversal
https://notcve.org/view.php?id=CVE-2018-15818
17 Oct 2018 — An issue was discovered in Repute ARForms 3.5.1 and prior. An attacker is able to delete any file on the server with web server privileges by sending a malicious request to admin-ajax.php. Se ha descubierto un problema en Repute ARForms, en versiones 3.5.1 y anteriores. Un atacante puede eliminar cualquier archivo en el servidor con privilegios del servidor web mediante el envío de una petición maliciosa a admin-ajax.php. WordPress Arforms plugin versions 3.5.1 and below suffer from an arbitrary file deleti... • http://packetstormsecurity.com/files/149981/WordPress-Arforms-3.5.1-Arbitrary-File-Delete.html • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •