CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24526 – Form Maker < 1.13.60 - Authenticated Stored XSS
https://notcve.org/view.php?id=CVE-2021-24526
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue El plugin de WordPress Form Maker by 10Web - Mobile-Friendly Drag & Drop Contact Form Builder versiones anteriores a 1.13.60, no escapa de su Título de Formulario antes de mostrarlo en un atributo cuando se edita un formulario en el panel de administración, conllevando a un problema de tipo Cross-Site Scripting Almacenado y autenticado. • https://wpscan.com/vulnerability/17287d8a-ba27-42dc-9370-a931ef404995 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-10866 – Form Maker by 10Web <= 1.13.2 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2019-10866
In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parameter. En el plugin de Form Maker anterior de la versión 1.13.3 para WordPress, es posible conseguir una inyección SQL en la función get_labels_parameters en el archivo form-maker/admin/models/Submissions_fm.php con un valor creado del parámetro /models/Submissioc. WordPress Form Maker plugin version 1.13.3 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/46958 http://seclists.org/fulldisclosure/2019/May/8 https://wordpress.org/plugins/form-maker/#developers https://wpvulndb.com/vulnerabilities/9286 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-11590 – Form Maker by 10Web <= 1.13.4 - Cross-Site Request Forgery to Local File Inclusion
https://notcve.org/view.php?id=CVE-2019-11590
The 10Web Form Maker plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized. El plugin Form Maker de 10Web anterior a la versión 1.13.5 para WordPress, permite CSRF por medio del parámetro action en el archivo wp-admin/admin-ajax.php., con la inclusión de archivos locales resultantes por el recorrido del directorio, porque puede haber una discrepancia entre el valor $ _ post [' Action '] y el $ _ Obtenga el valor [' Action '] y este último no se desinfecte. • http://seclists.org/fulldisclosure/2019/Apr/36 https://lists.openwall.net/full-disclosure/2019/04/05/11 https://wordpress.org/plugins/form-maker/#developers • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-352: Cross-Site Request Forgery (CSRF) CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10504 – Form Maker by 10Web <= 1.12.21 - CSV Injection
https://notcve.org/view.php?id=CVE-2018-10504
The WebDorado "Form Maker by WD" plugin before 1.12.24 for WordPress allows CSV injection. El plugin Form Maker by WD de WebDorado, en versiones anteriores a la 1.12.24 para WordPress, permite la inyección CSV. The WebDorado "Form Maker by WD" plugin before 1.12.22 for WordPress allows CSV injection. WordPress Form Maker plugin version 1.12.20 suffers from a CSV injection vulnerability. • https://www.exploit-db.com/exploits/44559 https://wordpress.org/plugins/form-maker/#developers • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-1236: Improper Neutralization of Formula Elements in a CSV File •