CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1945 – ARForms Form Builder <= 1.6.4 - Missing Authorization to Authenticated(Subscriber+) Arbitrary Option Deletion
https://notcve.org/view.php?id=CVE-2024-1945
The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'arflite_remove_preview_data' function in all versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber access and above, to delete arbitrary site options, resulting in loss of availability. El complemento Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder para WordPress es vulnerable a la pérdida no autorizada de datos debido a una falta de verificación de capacidad en la función 'arflite_remove_preview_data' en todas las versiones hasta la 1.6.4 incluida. Esto hace posible que atacantes autenticados, con acceso de suscriptor y superior, eliminen opciones arbitrarias del sitio, lo que resulta en una pérdida de disponibilidad. • https://plugins.trac.wordpress.org/browser/arforms-form-builder/tags/1.6.3/core/controllers/arfliteformcontroller.php https://www.wordfence.com/threat-intel/vulnerabilities/id/026f8d9b-a66b-4a59-8375-fba587a4eef7?source=cve • CWE-862: Missing Authorization •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6828 – ARForms <= 1.5.8 - Unauthenticated Stored Cross-Site Scripting via arf_http_referrer_url
https://notcve.org/view.php?id=CVE-2023-6828
The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ arf_http_referrer_url’ parameter in all versions up to, and including, 1.5.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder complemento para WordPress es vulnerable a Cross-Site Scripting almacenado a través del parámetro 'arf_http_referrer_url' en todas las versiones hasta la 1.5.8 incluida debido a una sanitización de entrada insuficiente y salida que se escapa. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3013347@arforms-form-builder/trunk&old=2998602@arforms-form-builder/trunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/6e349cae-a996-4a32-807a-a98ebcb01edd?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45838 – WordPress ARForms Form Builder Plugin <= 1.5.5 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-45838
Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Repute InfoSystems ARForms Form Builder plugin <= 1.5.5 versions. The ARForms Form Builder plugin for WordPress is vulnerable to Cross-Site Scripting via an unspecified parameter in versions up to, and including, 1.5.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/arforms-form-builder/wordpress-arforms-form-builder-plugin-1-5-3-unauth-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24718 – ARForms Form Builder < 1.5 - Admin+ Stored Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-24718
The Contact Form, Survey & Popup Form Plugin for WordPress plugin before 1.5 does not properly sanitize some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed El plugin Contact Form, Survey & Popup Form para WordPress versiones anteriores a 1.5, no sanea correctamente algunos de sus ajustes, permitiendo a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html está deshabilitada The Contact Form, Survey & Popup Form Plugin for WordPress plugin before 1.5 does not properly sanitize some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. • https://wpscan.com/vulnerability/60c9d78f-ae2c-49e0-aca3-6dce1bd8f697 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •