CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24689 – Contact Forms - Drag & Drop Contact Form Builder <= 1.0.5 - Admin+ Arbitrary System File Read
https://notcve.org/view.php?id=CVE-2021-24689
The Contact Forms - Drag & Drop Contact Form Builder WordPress plugin through 1.0.5 allows high privilege users to download arbitrary files from the web server via a path traversal attack El plugin Contact Forms - Drag & Drop Contact Form Builder de WordPress versiones hasta 1.0.5, permite a usuarios con altos privilegios descargar archivos arbitrarios del servidor web por medio de un ataque de salto de ruta. • https://wpscan.com/vulnerability/31824250-e0d4-4285-97fa-9880b363e075 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-34620 – CSRF in WP Fluent Forms < 3.6.67 allows stored XSS and Privilege Escalation
https://notcve.org/view.php?id=CVE-2021-34620
The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions El plugin WP Fluent Forms versiones anteriores a 3.6.67, para WordPress es vulnerable a un ataque de tipo Cross-Site Request Forgery conllevando a una vulnerabilidad de tipo Cross-Site Scripting almacenada y una escalada de privilegios limitada debido a una falta de comprobación de nonce en la función access control para acciones administrativas AJAX • https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Modules/Acl/Acl.php?rev=2196688 https://www.wordfence.com/blog/2021/06/cross-site-request-forgery-patched-in-wp-fluent-forms • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24777 – Hotscot Contact Form < 1.3 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-24777
The view submission functionality in the Hotscot Contact Form WordPress plugin before 1.3 makes a get request with the sub_id parameter which not sanitised, escaped or validated before inserting to a SQL statement, leading to an SQL injection. La funcionalidad view submission en el plugin Hotscot Contact Form de WordPress versiones anteriores a 1.3, hace una petición get con el parámetro sub_id que no está saneada, escapada o comprobada antes de insertarse en una sentencia SQL, conllevando a una inyección SQL • https://wpscan.com/vulnerability/2dfde2ef-1b33-4dc9-aa3e-02d319effb3a • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2021-24276 – Contact Form by Supsystic < 1.7.15 - Reflected Cross-Site scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24276
The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue El plugin de WordPress Contact Form by Supsystic versiones anteriores a 1.7.15, no saneaba el parámetro tab de su página options antes de generarlo en un atributo, conllevando a un problema de tipo Cross-Site Scripting reflejado WordPress Contact Form plugin version 1.7.14 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/50344 http://packetstormsecurity.com/files/164308/WordPress-Contact-Form-1.7.14-Cross-Site-Scripting.html https://wpscan.com/vulnerability/1301123c-5e63-432a-ab90-3221ca532d9c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 4CVE-2020-10385 – Contact Form by WPForms <= 1.5.8.2 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-10385
A stored cross-site scripting (XSS) vulnerability exists in the WPForms Contact Form (aka wpforms-lite) plugin before 1.5.9 for WordPress. Hay una vulnerabilidad de tipo cross-site scripting (XSS) almacenado en el plugin WPForms Contact Form (también se conoce como wpforms-lite) versiones anteriores a la versión 1.5.9 para WordPress. WordPress WPForms plugin version 1.5.8.2 suffers from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/48245 https://packetstormsecurity.com/files/156910/WordPress-WP-Forms-1.5.8.2-Cross-Site-Scripting.html https://wordpress.org/plugins/wpforms-lite/#developers https://wpvulndb.com/vulnerabilities/10114 https://www.getastra.com/blog/911/plugin-exploit/stored-xss-vulnerability-found-in-wpforms-plugin https://www.jinsonvarghese.com/stored-xss-vulnerability-found-in-wpforms-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •