CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4417 – Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.13.4 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2021-4417
The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4. This is due to missing or incorrect nonce validation on the listen_for_saving_export_schedule() function. This makes it possible for unauthenticated attackers to export form submissions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El plugin The Forminator – Contact Form, Payment Form & Custom Form Builder para WordPress es vulnerable a ataques de tipo Cross-Site Request Forgery en versiones hasta la 1.13.4 inclusive. Esto es debido a la falta o incorrecta validación nonce en la función "listen_for_saving_export_schedule()". • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4 https://blo • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-9567 – Forminator Plugin <= 1.5.4 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-9567
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a poll. El plugin "Forminator Contact Form, Poll Quiz Builder", en versiones anteriores a la 1.6 para WordPress, tiene Cross-Site Scripting (XSS) mediante un campo de entradas personalizado de una encuesta. WordPress Forminator plugin version 1.5.4 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://lists.openwall.net/full-disclosure/2019/02/05/4 https://security-consulting.icu/blog/2019/02/wordpress-forminator-persistent-xss-blind-sql-injection https://wordpress.org/plugins/forminator/#developers https://wpvulndb.com/vulnerabilities/9215 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2019-9568 – Forminator Plugin <= 1.5.3.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-9568
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/admin.php?page=forminator-entries entry[] parameter if the attacker has the delete permission. El plugin "Forminator Contact Form, Poll Quiz Builder", en versiones anteriores a la 1.6 para WordPress, tiene una inyección SQL mediante en parámetro entry[] "wp-admin/admin.php?page=forminator-entries" si el atacante tiene permisos de borrado. WordPress Forminator plugin version 1.5.4 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://lists.openwall.net/full-disclosure/2019/02/05/4 https://security-consulting.icu/blog/2019/02/wordpress-forminator-persistent-xss-blind-sql-injection https://wordpress.org/plugins/forminator/#developers https://wpvulndb.com/vulnerabilities/9215 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •