CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7484 – CRM Perks Forms <= 1.1.3 - Authenticated (Administrator+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-7484
The CRM Perks Forms plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'handle_uploaded_files' function in versions up to, and including, 1.1.3. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento CRM Perks Forms para WordPress es vulnerable a cargas de archivos arbitrarias debido a una validación de archivos insuficiente en la función 'handle_uploaded_files' en versiones hasta la 1.1.3 incluida. Esto hace posible que atacantes autenticados con capacidades de nivel de administrador o superior carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede hacer posible la ejecución remota de código. • https://plugins.trac.wordpress.org/browser/crm-perks-forms/trunk/includes/front-form.php?rev=3003885#L3271 https://plugins.trac.wordpress.org/changeset/3016768/crm-perks-forms https://www.wordfence.com/threat-intel/vulnerabilities/id/02c6ec97-50cc-4c61-9bb7-b94250d5dda3?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51536 – WordPress CRM Perks Forms Plugin <= 1.1.2 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-51536
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks Forms – WordPress Form Builder allows Stored XSS.This issue affects CRM Perks Forms – WordPress Form Builder: from n/a through 1.1.2. La vulnerabilidad de neutralización incorrecta de la entrada durante de generación de páginas web ('Cross-site Scripting') en CRM Perks Forms CRM Perks – WordPress Form Builder permite XSS almacenado. Este problema afecta a CRM Perks Forms – WordPress Form Builder: desde n/a hasta 1.1.2 . The CRM Perks Forms – WordPress Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on the label field. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/crm-perks-forms/wordpress-crm-perks-forms-plugin-1-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2836 – CRM Perks Forms <= 1.1.1 - Authenticated (Admin+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-2836
The CRM Perks Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. El plugin CRM Perks Forms para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de la configuración de formularios en versiones hasta la v1.1.1 inclusive debido a la insuficiente sanitización de entrada y escape de salida. Esto hace posible que atacantes autenticados, con permisos de nivel de administrador y superiores, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://github.com/Don-H50/wp-vul/blob/main/CPF-xss-exploit.md https://plugins.trac.wordpress.org/changeset/2917582 https://www.wordfence.com/threat-intel/vulnerabilities/id/de11636b-a051-4e76-bc26-ed76f66fe0df?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38467 – WordPress CRM Perks Forms Plugin <= 1.1.0 is vulnerable to Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2022-38467
Reflected Cross-Site Scripting (XSS) vulnerability in CRM Perks Forms – WordPress Form Builder <= 1.1.0 ver. Vulnerabilidad de cross site scripting (XSS) reflejado en CRM Perks Forms – WordPress Form Builder <= 1.1.0 ver. The CRM Perks Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.10 due to insufficient input sanitization and output escaping in the ~/templates/sample_file.php file. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/crm-perks-forms/wordpress-crm-perks-forms-plugin-1-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •