CVE-2021-24689 – Contact Forms - Drag & Drop Contact Form Builder <= 1.0.5 - Admin+ Arbitrary System File Read
https://notcve.org/view.php?id=CVE-2021-24689
The Contact Forms - Drag & Drop Contact Form Builder WordPress plugin through 1.0.5 allows high privilege users to download arbitrary files from the web server via a path traversal attack El plugin Contact Forms - Drag & Drop Contact Form Builder de WordPress versiones hasta 1.0.5, permite a usuarios con altos privilegios descargar archivos arbitrarios del servidor web por medio de un ataque de salto de ruta. • https://wpscan.com/vulnerability/31824250-e0d4-4285-97fa-9880b363e075 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-24381 – NinjaForms < 3.5.8.2 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24381
The Ninja Forms Contact Form WordPress plugin before 3.5.8.2 does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Ninja Forms Contact Form de WordPress versiones anteriores a 3.5.8.2, no sanea ni escapa del nombre de la clase personalizada del campo form creado, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html está deshabilitada • https://wpscan.com/vulnerability/e383fae6-e0da-4aba-bb62-adf51c01bf8d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-34620 – CSRF in WP Fluent Forms < 3.6.67 allows stored XSS and Privilege Escalation
https://notcve.org/view.php?id=CVE-2021-34620
The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions El plugin WP Fluent Forms versiones anteriores a 3.6.67, para WordPress es vulnerable a un ataque de tipo Cross-Site Request Forgery conllevando a una vulnerabilidad de tipo Cross-Site Scripting almacenada y una escalada de privilegios limitada debido a una falta de comprobación de nonce en la función access control para acciones administrativas AJAX • https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Modules/Acl/Acl.php?rev=2196688 https://www.wordfence.com/blog/2021/06/cross-site-request-forgery-patched-in-wp-fluent-forms • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2021-24777 – Hotscot Contact Form < 1.3 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-24777
The view submission functionality in the Hotscot Contact Form WordPress plugin before 1.3 makes a get request with the sub_id parameter which not sanitised, escaped or validated before inserting to a SQL statement, leading to an SQL injection. La funcionalidad view submission en el plugin Hotscot Contact Form de WordPress versiones anteriores a 1.3, hace una petición get con el parámetro sub_id que no está saneada, escapada o comprobada antes de insertarse en una sentencia SQL, conllevando a una inyección SQL • https://wpscan.com/vulnerability/2dfde2ef-1b33-4dc9-aa3e-02d319effb3a • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-24276 – Contact Form by Supsystic < 1.7.15 - Reflected Cross-Site scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24276
The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue El plugin de WordPress Contact Form by Supsystic versiones anteriores a 1.7.15, no saneaba el parámetro tab de su página options antes de generarlo en un atributo, conllevando a un problema de tipo Cross-Site Scripting reflejado WordPress Contact Form plugin version 1.7.14 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/50344 http://packetstormsecurity.com/files/164308/WordPress-Contact-Form-1.7.14-Cross-Site-Scripting.html https://wpscan.com/vulnerability/1301123c-5e63-432a-ab90-3221ca532d9c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •