CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2023-3134 – Forminator < 1.24.4 - Reflected XSS
https://notcve.org/view.php?id=CVE-2023-3134
The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks. The Forminator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.24.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/6d50d3cc-7563-42c4-977b-f834fee711da https://www.onvio.nl/nieuws/research-day-discovering-vulnerabilities-in-wordpress-plugins • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2010 – Forminator < 1.24.1 - Unauthenticated Race Condition on poll vote
https://notcve.org/view.php?id=CVE-2023-2010
The Forminator WordPress plugin before 1.24.1 does not use an atomic operation to check whether a user has already voted, and then update that information. This leads to a Race Condition that may allow a single user to vote multiple times on a poll. The Forminator plugin for WordPress is vulnerable to a race condition in versions up to, and including, 1.23.3. This is due to improper validation on the poll voting functionality. This makes it possible for unauthenticated attackers to make multiple votes on a poll. • https://wpscan.com/vulnerability/d0da4c0d-622f-4310-a867-6bfdb474073a • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •