CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2528 – Contact Form by Supsystic <= 1.7.24 - Cross-Site Request Forgery via AJAX action
https://notcve.org/view.php?id=CVE-2023-2528
The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.24. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/contact-form-by-supsystic/trunk/classes/frame.php?rev=2777737#L297 https://plugins.trac.wordpress.org/browser/contact-form-by-supsystic/trunk/classes/frame.php?rev=2912584#L230 https://www.wordfence.com/threat-intel/vulnerabilities/id/1c387b07-baf6-4c62-943e-4bd121160ceb?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2012-10010 – BestWebSoft Contact Form contact_form.php cntctfrm_settings_page cross-site request forgery
https://notcve.org/view.php?id=CVE-2012-10010
A vulnerability was found in BestWebSoft Contact Form 3.21. It has been classified as problematic. This affects the function cntctfrm_settings_page of the file contact_form.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. • https://github.com/wp-plugins/contact-form-plugin/commit/8398d96ff0fe45ec9267d7259961c2ef89ed8005 https://vuldb.com/?ctiid.225321 https://vuldb.com/?id.225321 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2013-10022 – BestWebSoft Contact Form Plugin contact_form.php cntctfrm_check_form cross site scripting
https://notcve.org/view.php?id=CVE-2013-10022
A vulnerability, which was classified as problematic, has been found in BestWebSoft Contact Form Plugin 3.51 on WordPress. Affected by this issue is the function cntctfrm_display_form/cntctfrm_check_form of the file contact_form.php. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 3.52 is able to address this issue. • https://github.com/wp-plugins/contact-form-plugin/commit/642ef1dc1751ab6642ce981fe126325bb574f898 https://vuldb.com/?ctiid.225002 https://vuldb.com/?id.225002 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0546 – FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field
https://notcve.org/view.php?id=CVE-2023-0546
The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form. The FluentForms plugin for WrodPress is vulnerable to stored Cross-Site Scripting via custom form fields in versions up to, and including, 4.3.24. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/078f33cd-0f5c-46fe-b858-2107a09c6b69 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3463 – FluentForm < 4.3.13 - CSV Injection
https://notcve.org/view.php?id=CVE-2022-3463
The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection El complemento de WordPress Contact Form anterior a 4.3.13 no valida ni escapa de los campos al exportar entradas de formulario como CSV, lo que genera una inyección de CSV. The Contact Form Plugin by FluentForm plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 4.3.12. This allows attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. • https://wpscan.com/vulnerability/e2a59481-db45-4b8e-b17a-447303469364 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •