CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1564 – Form Maker By 10Web < 1.14.12 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1564
09 May 2022 — The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed El plugin Form Maker by 10Web de WordPress versiones anteriores a 1.14.12, no sanea ni escapa de la configuración del Texto Personalizado, lo que podría permitir a usuarios con altos privilegios, como el administrador, llevar a cabo ataques de tipo Cross-Site Scripting... • https://wpscan.com/vulnerability/a487c7e7-667c-4c92-a427-c43cc13b348d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24526 – Form Maker < 1.13.60 - Authenticated Stored XSS
https://notcve.org/view.php?id=CVE-2021-24526
15 Jul 2021 — The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue El plugin de WordPress Form Maker by 10Web - Mobile-Friendly Drag & Drop Contact Form Builder versiones anteriores a 1.13.60, no escapa de su Título de Formulario antes de mostrarlo en un atributo cuando se edita un formulario ... • https://wpscan.com/vulnerability/17287d8a-ba27-42dc-9370-a931ef404995 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 18%CPEs: 1EXPL: 3CVE-2019-10866 – Form Maker by 10Web <= 1.13.2 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2019-10866
10 May 2019 — In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parameter. En el plugin de Form Maker anterior de la versión 1.13.3 para WordPress, es posible conseguir una inyección SQL en la función get_labels_parameters en el archivo form-maker/admin/models/Submissions_fm.php con un valor creado del parámetro /models/Submissioc. WordPress... • https://packetstorm.news/files/id/152830 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-11590 – Form Maker by 10Web <= 1.13.4 - Cross-Site Request Forgery to Local File Inclusion
https://notcve.org/view.php?id=CVE-2019-11590
05 Apr 2019 — The 10Web Form Maker plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized. El plugin Form Maker de 10Web anterior a la versión 1.13.5 para WordPress, permite CSRF por medio del parámetro action en el archivo wp-admin/admin-ajax.php., con la inclusión de archivos locales resul... • http://seclists.org/fulldisclosure/2019/Apr/36 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-352: Cross-Site Request Forgery (CSRF) CWE-829: Inclusion of Functionality from Untrusted Control Sphere •