CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10056 – Contact Form Builder <= 4.10.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via livesite-pay Shortcode
https://notcve.org/view.php?id=CVE-2024-10056
04 Dec 2024 — The Contact Form Builder by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's livesite-pay shortcode in all versions up to, and including, 4.10.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/changeset/3200766 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35747 – WordPress Contact Form Builder, Contact Widget plugin <= 2.1.7 - Bypass Vulnerability vulnerability
https://notcve.org/view.php?id=CVE-2024-35747
06 Jun 2024 — Improper Restriction of Excessive Authentication Attempts vulnerability in wpdevart Contact Form Builder, Contact Widget allows Functionality Bypass.This issue affects Contact Form Builder, Contact Widget: from n/a through 2.1.7. Vulnerabilidad de restricción inadecuada de intentos de autenticación excesivos en wpdevart Contact Form Builder, Contact Widget permite omitir la funcionalidad. Este problema afecta a Contact Form Builder, Contact Widget: desde n/a hasta 2.1.7. The Contact Form Builder, Contact Wi... • https://patchstack.com/database/vulnerability/contact-forms-builder/wordpress-contact-form-builder-contact-widget-plugin-2-1-7-bypass-vulnerability-vulnerability?_s_id=cve • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1640 – Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form <= 2.10.1 - Unauthenticated Insecure Direct Object Reference to Form Submission Alteration
https://notcve.org/view.php?id=CVE-2024-1640
13 Mar 2024 — The Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient user validation on the bitforms_update_form_entry AJAX action in all versions up to, and including, 2.10.1. This makes it possible for unauthenticated attackers to modify form submissions. El complemento Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit F... • https://plugins.trac.wordpress.org/changeset/3048523/bit-form/trunk/includes/Frontend/Ajax/FrontendAjax.php • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46075 – WordPress Contact Form Builder, Contact Widget Plugin <= 2.1.6 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-46075
16 Oct 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in wpdevart Contact Form Builder, Contact Widget plugin <= 2.1.6 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada no autenticada en el complemento wpdevart Contact Form Builder, Contact Widget en versiones <= 2.1.6. The Contact Form Builder, Contact Widget plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping. This mak... • https://patchstack.com/database/vulnerability/contact-forms-builder/wordpress-contact-form-builder-contact-widget-plugin-2-1-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3645 – Contact Form Builder by Bit Form < 2.2.0 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-3645
24 Jul 2023 — The Contact Form Builder by Bit Form WordPress plugin before 2.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) The Contact Form Builder by Bit Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.1.0 due to insufficient input sanitization and o... • https://wpscan.com/vulnerability/58c11f1e-6ea0-468c-b974-4aea9eb94b82 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •