CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0546 – FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field
https://notcve.org/view.php?id=CVE-2023-0546
20 Mar 2023 — The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form. The FluentForms plugin for WrodPress is vulnerable to stored Cross-Site Scripting via custom form fields in versions up to, and including, 4.3.24. This makes it pos... • https://wpscan.com/vulnerability/078f33cd-0f5c-46fe-b858-2107a09c6b69 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3463 – FluentForm < 4.3.13 - CSV Injection
https://notcve.org/view.php?id=CVE-2022-3463
17 Oct 2022 — The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection El complemento de WordPress Contact Form anterior a 4.3.13 no valida ni escapa de los campos al exportar entradas de formulario como CSV, lo que genera una inyección de CSV. The Contact Form Plugin by FluentForm plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 4.3.12. This allows attackers to embed untrusted input into ... • https://wpscan.com/vulnerability/e2a59481-db45-4b8e-b17a-447303469364 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24381 – NinjaForms < 3.5.8.2 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24381
27 Sep 2021 — The Ninja Forms Contact Form WordPress plugin before 3.5.8.2 does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Ninja Forms Contact Form de WordPress versiones anteriores a 3.5.8.2, no sanea ni escapa del nombre de la clase personalizada del campo form creado, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques d... • https://wpscan.com/vulnerability/e383fae6-e0da-4aba-bb62-adf51c01bf8d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24689 – Contact Forms - Drag & Drop Contact Form Builder <= 1.0.5 - Admin+ Arbitrary System File Read
https://notcve.org/view.php?id=CVE-2021-24689
27 Sep 2021 — The Contact Forms - Drag & Drop Contact Form Builder WordPress plugin through 1.0.5 allows high privilege users to download arbitrary files from the web server via a path traversal attack El plugin Contact Forms - Drag & Drop Contact Form Builder de WordPress versiones hasta 1.0.5, permite a usuarios con altos privilegios descargar archivos arbitrarios del servidor web por medio de un ataque de salto de ruta. • https://wpscan.com/vulnerability/31824250-e0d4-4285-97fa-9880b363e075 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-34620 – CSRF in WP Fluent Forms < 3.6.67 allows stored XSS and Privilege Escalation
https://notcve.org/view.php?id=CVE-2021-34620
16 Jun 2021 — The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions El plugin WP Fluent Forms versiones anteriores a 3.6.67, para WordPress es vulnerable a un ataque de tipo Cross-Site Request Forgery conllevando a una vulnerabilidad de tipo Cross-Site Scripting almacenada y una escalada de privilegios limitada debido a ... • https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Modules/Acl/Acl.php?rev=2196688 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24777 – Hotscot Contact Form < 1.3 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-24777
13 May 2021 — The view submission functionality in the Hotscot Contact Form WordPress plugin before 1.3 makes a get request with the sub_id parameter which not sanitised, escaped or validated before inserting to a SQL statement, leading to an SQL injection. La funcionalidad view submission en el plugin Hotscot Contact Form de WordPress versiones anteriores a 1.3, hace una petición get con el parámetro sub_id que no está saneada, escapada o comprobada antes de insertarse en una sentencia SQL, conllevando a una inyección S... • https://wpscan.com/vulnerability/2dfde2ef-1b33-4dc9-aa3e-02d319effb3a • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 8%CPEs: 1EXPL: 4CVE-2021-24276 – Contact Form by Supsystic < 1.7.15 - Reflected Cross-Site scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24276
19 Apr 2021 — The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue El plugin de WordPress Contact Form by Supsystic versiones anteriores a 1.7.15, no saneaba el parámetro tab de su página options antes de generarlo en un atributo, conllevando a un problema de tipo Cross-Site Scripting reflejado WordPress Contact Form plugin version 1.7.14 suffers from a cross site scriptin... • https://packetstorm.news/files/id/164308 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 5CVE-2020-10385 – Contact Form by WPForms <= 1.5.8.2 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-10385
18 Feb 2020 — A stored cross-site scripting (XSS) vulnerability exists in the WPForms Contact Form (aka wpforms-lite) plugin before 1.5.9 for WordPress. Hay una vulnerabilidad de tipo cross-site scripting (XSS) almacenado en el plugin WPForms Contact Form (también se conoce como wpforms-lite) versiones anteriores a la versión 1.5.9 para WordPress. WordPress WPForms plugin version 1.5.8.2 suffers from a persistent cross site scripting vulnerability. • https://packetstorm.news/files/id/156910 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10869 – Contact Form by BestWebSoft – Advanced Contact Us Form Builder for WordPress <= 4.0.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-10869
13 Aug 2019 — The contact-form-plugin plugin before 4.0.2 for WordPress has XSS. El complemento contact-form-plugin anterior de 4.0.2 para WordPress tiene XSS • https://wordpress.org/plugins/contact-form-plugin/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2019-25145 – Contact Form & SMTP Plugin by PirateForms <= 2.5.1 - Unauthenticated HTML injection
https://notcve.org/view.php?id=CVE-2019-25145
27 Jul 2019 — The Contact Form & SMTP Plugin by PirateForms plugin for WordPress is vulnerable to HTML injection in the ‘public/class-pirateforms-public.php’ file in versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary HTML in emails that could be used to phish unsuspecting victims. • https://blog.nintechnet.com/html-injection-vulnerability-in-wordpress-pirate-forms-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •