NotCVE - vendor:"Wpforms" product:"Contact Form" version:" <= 2.5.1"

Page 3 of 34 results (0.010 seconds)

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 2

CVE-2024-0618 – Fluent Forms <= 5.1.5 - Authenticated(Administrator+) Stored Cross-Site Scripting via imported form title

https://notcve.org/view.php?id=CVE-2024-0618

The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via imported form titles in all versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. El complemento Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de títulos de formulario importados en todas las versiones hasta la 5.1.5 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso a nivel de administrador, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://advisory.abay.sh/cve-2024-0618 https://plugins.trac.wordpress.org/changeset/3022938/fluentform/tags/5.1.7/app/Helpers/Helper.php?old=3000676&old_path=fluentform%2Ftags%2F5.1.5%2Fapp%2FHelpers%2FHelper.php https://www.wordfence.com/threat-intel/vulnerabilities/id/0348d465-f351-4c52-b293-8b3b058292b9?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-45068 – WordPress Contact Form by Supsystic Plugin <= 1.7.27 is vulnerable to Cross Site Request Forgery (CSRF)

https://notcve.org/view.php?id=CVE-2023-45068

Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Contact Form by Supsystic plugin <= 1.7.27 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Supsystic Contact Form de Supsystic en versiones <= 1.7.27. The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.27. This is due to missing nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/contact-form-by-supsystic/wordpress-contact-form-by-supsystic-plugin-1-7-24-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-44231 – WordPress Contact Form Plugin <= 2.0.10 is vulnerable to Cross Site Request Forgery (CSRF)

https://notcve.org/view.php?id=CVE-2023-44231

Cross-Site Request Forgery (CSRF) vulnerability in NickDuncan Contact Form plugin <= 2.0.10 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento NickDuncan Contact Form en versiones <= 2.0.10. The Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.10. This is due to missing or incorrect nonce validation on the wpcf_styling_page() function. This makes it possible for unauthenticated attackers to modify the contact form's styling via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/contact-form-ready/wordpress-contact-form-plugin-2-0-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-24410 – WordPress FluentForm Plugin <= 4.3.25 is vulnerable to SQL Injection

https://notcve.org/view.php?id=CVE-2023-24410

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Contact Form - WPManageNinja LLC Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms fluentform allows SQL Injection.This issue affects Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms: from n/a through 4.3.25. Neutralización Inadecuada de Elementos Especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en el Contact Form - complemento WPManageNinja LLC Contact Form - complemento Fastest Contact Form Builder para WordPress por Fluent Forms fluentform permite la Inyección SQL. Este problema afecta al complemento Contact Form - complemento Fastest Contact Form Builder para WordPress por Fluent Forms: desde n/a hasta la versión 4.3.25. The FluentForm plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 4.3.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/fluentform/wordpress-fluentform-plugin-4-3-25-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

CVE-2023-30500 – WordPress WPForms plugins - Reflected Cross Site Scripting (XSS) vulnerability

https://notcve.org/view.php?id=CVE-2023-30500

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPForms WPForms Lite (wpforms-lite), WPForms WPForms Pro (wpforms) plugins <= 1.8.1.2 versions. The Contact Form by WPForms (Free and Premium) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.8.1.2 due to insufficient input sanitization and output escaping on debug data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/wpforms-lite/wordpress-wpforms-lite-plugin-1-8-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve https://patchstack.com/database/vulnerability/wpforms/wordpress-wpforms-pro-plugin-1-8-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

1 2 3 4 5