CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23180 – Contact Form & Lead Form Elementor Builder Plugin < 1.7.4 - Multiple Subscriber+ Settings Update
https://notcve.org/view.php?id=CVE-2022-23180
The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.4 doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings El complemento de WordPress Contact Form & Lead Form Elementor Builder anterior a 1.7.4 no tiene autorización ni comprobaciones nonce, lo que podría permitir a cualquier usuario autenticado, como el suscriptor, actualizar y cambiar varias configuraciones. The Contact Form & Lead Form Elementor Builder plugin for WordPress is vulnerable to Arbitrary Settings Change in versions before 1.7.4. This is due to missing capabilities checks on several functions. This makes it possible for authenticated attackers with subscriber-level privileges or above to arbitrarily change plugin settings. • https://plugins.trac.wordpress.org/changeset/2670484 https://wpscan.com/vulnerability/da87358a-3a72-4cf7-a2af-a266dd9b4290 • CWE-862: Missing Authorization •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23179 – Contact Form & Lead Form Elementor Builder < 1.7.0 - Multiple Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-23179
The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.0 does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed El complemento de WordPress Contact Form & Lead Form Elementor Builder anterior a 1.7.0 no escapa de algunos de sus campos de formulario antes de mostrarlos en atributos, lo que podría permitir a usuarios con altos privilegios realizar ataques de cross site scripting incluso cuando la capacidad unfiltered_html no está permitida. The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to 1.7.0 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/90b8af99-e4a1-4076-99fa-efe805dd4be4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24967 – Contact Form & Lead Form Elementor Builder < 1.6.4 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24967
The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.6.4 does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads El plugin Contact Form & Lead Form Elementor Builder de WordPress versiones anteriores a 1.6.4, no sanea ni escapa de algunos valores de leads, lo que podría permitir a usuarios no autenticados llevar a cabo ataques de tipo Cross-Site Scripting contra el administrador que haya iniciado la sesión y visualice los Leads insertados • https://wpscan.com/vulnerability/4e165122-4746-42de-952e-a3bf51393a74 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •