Page 3 of 24 results (0.010 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Cross-Site Request Forgery (CSRF) vulnerability in NickDuncan Contact Form plugin <= 2.0.10 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento NickDuncan Contact Form en versiones &lt;= 2.0.10. The Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.10. This is due to missing or incorrect nonce validation on the wpcf_styling_page() function. This makes it possible for unauthenticated attackers to modify the contact form's styling via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/contact-form-ready/wordpress-contact-form-plugin-2-0-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Contact Form - WPManageNinja LLC Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms fluentform allows SQL Injection.This issue affects Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms: from n/a through 4.3.25. Neutralización Inadecuada de Elementos Especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en el Contact Form - complemento WPManageNinja LLC Contact Form - complemento Fastest Contact Form Builder para WordPress por Fluent Forms fluentform permite la Inyección SQL. Este problema afecta al complemento Contact Form - complemento Fastest Contact Form Builder para WordPress por Fluent Forms: desde n/a hasta la versión 4.3.25. The FluentForm plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 4.3.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/fluentform/wordpress-fluentform-plugin-4-3-25-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1

The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form. The FluentForms plugin for WrodPress is vulnerable to stored Cross-Site Scripting via custom form fields in versions up to, and including, 4.3.24. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/078f33cd-0f5c-46fe-b858-2107a09c6b69 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection El complemento de WordPress Contact Form anterior a 4.3.13 no valida ni escapa de los campos al exportar entradas de formulario como CSV, lo que genera una inyección de CSV. The Contact Form Plugin by FluentForm plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 4.3.12. This allows attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. • https://wpscan.com/vulnerability/e2a59481-db45-4b8e-b17a-447303469364 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1

The Ninja Forms Contact Form WordPress plugin before 3.5.8.2 does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Ninja Forms Contact Form de WordPress versiones anteriores a 3.5.8.2, no sanea ni escapa del nombre de la clase personalizada del campo form creado, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html está deshabilitada • https://wpscan.com/vulnerability/e383fae6-e0da-4aba-bb62-adf51c01bf8d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •