CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24700 – Forminator < 1.15.4 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24700
The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed El plugin Forminator de WordPress versiones anteriores a 1.15.4, no sanea y escapa de la etiqueta del campo email, que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando el unfiltered_html está deshabilitado • https://wpscan.com/vulnerability/1d489b05-296e-4268-8082-9737608f9b41 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36821 – WordPress Forminator plugin <= 1.14.11 - Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2021-36821
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV Forminator – Contact Form, Payment Form & Custom Form Builder allows Stored XSS.This issue affects Forminator – Contact Form, Payment Form & Custom Form Builder: from n/a through 1.14.11. Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPMU DEV Forminator allows Stored XSS.This issue affects Forminator: from n/a through 1.14.11. The Forminator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.14.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/forminator/wordpress-forminator-plugin-1-14-11-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4417 – Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.13.4 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2021-4417
The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4. This is due to missing or incorrect nonce validation on the listen_for_saving_export_schedule() function. This makes it possible for unauthenticated attackers to export form submissions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El plugin The Forminator – Contact Form, Payment Form & Custom Form Builder para WordPress es vulnerable a ataques de tipo Cross-Site Request Forgery en versiones hasta la 1.13.4 inclusive. Esto es debido a la falta o incorrecta validación nonce en la función "listen_for_saving_export_schedule()". • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4 https://blo • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-9567 – Forminator Plugin <= 1.5.4 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-9567
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a poll. El plugin "Forminator Contact Form, Poll Quiz Builder", en versiones anteriores a la 1.6 para WordPress, tiene Cross-Site Scripting (XSS) mediante un campo de entradas personalizado de una encuesta. WordPress Forminator plugin version 1.5.4 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://lists.openwall.net/full-disclosure/2019/02/05/4 https://security-consulting.icu/blog/2019/02/wordpress-forminator-persistent-xss-blind-sql-injection https://wordpress.org/plugins/forminator/#developers https://wpvulndb.com/vulnerabilities/9215 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2019-9568 – Forminator Plugin <= 1.5.3.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-9568
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/admin.php?page=forminator-entries entry[] parameter if the attacker has the delete permission. El plugin "Forminator Contact Form, Poll Quiz Builder", en versiones anteriores a la 1.6 para WordPress, tiene una inyección SQL mediante en parámetro entry[] "wp-admin/admin.php?page=forminator-entries" si el atacante tiene permisos de borrado. WordPress Forminator plugin version 1.5.4 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://lists.openwall.net/full-disclosure/2019/02/05/4 https://security-consulting.icu/blog/2019/02/wordpress-forminator-persistent-xss-blind-sql-injection https://wordpress.org/plugins/forminator/#developers https://wpvulndb.com/vulnerabilities/9215 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •