CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52209 – WordPress WPForms User Registration plugin <= 2.1.0 - Authenticated Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2023-52209
Improper Privilege Management vulnerability in WPForms, LLC. WPForms User Registration allows Privilege Escalation.This issue affects WPForms User Registration: from n/a through 2.1.0. The WPForms User Registration plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.1.0. This is due to a missing capability check when adding a role option to a form. This makes it possible for authenticated attackers, with contributor-level access and above, to create a form that allows them to register as a higher privileged user. • https://patchstack.com/database/vulnerability/wpforms-user-registration/wordpress-wpforms-user-registration-plugin-2-1-0-authenticated-privilege-escalation-vulnerability?_s_id=cve • CWE-269: Improper Privilege Management CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29820 – WordPress PDF Builder for WPForms plugin <= 1.2.88 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-29820
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RedNao PDF Builder for WPForms allows Stored XSS.This issue affects PDF Builder for WPForms: from n/a through 1.2.88. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('Cross-site Scripting') en RedNao PDF Builder para WPForms permite XSS almacenado. Este problema afecta a PDF Builder para WPForms: desde n/a hasta 1.2.88. The PDF Builder for WPForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' variable in versions up to, and including, 1.2.88 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/pdf-builder-for-wpforms/wordpress-pdf-builder-for-wpforms-plugin-1-2-88-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-7063 – WPForms Pro 1.8.4 - 1.8.5.3 - Unauthenticated Stored Cross-Site Scripting via Form Submission
https://notcve.org/view.php?id=CVE-2023-7063
The WPForms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form submission parameters in all versions up to, and including, 1.8.5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento WPForms Pro para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de parámetros de envío de formularios en todas las versiones hasta la 1.8.5.3 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. The WPForms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form submission parameters in all versions from 1.8.4 up to, and including, 1.8.5.3 due to insufficient input sanitization and output escaping. • https://wpforms.com/docs/how-to-view-recent-changes-to-the-wpforms-plugin-changelog/#1-8-5-4-2023-12-27 https://www.wordfence.com/threat-intel/vulnerabilities/id/31c080b8-ba00-4e96-8961-2a1c3a017004?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-30500 – WordPress WPForms plugins - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2023-30500
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPForms WPForms Lite (wpforms-lite), WPForms WPForms Pro (wpforms) plugins <= 1.8.1.2 versions. The Contact Form by WPForms (Free and Premium) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.8.1.2 due to insufficient input sanitization and output escaping on debug data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/wpforms-lite/wordpress-wpforms-lite-plugin-1-8-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve https://patchstack.com/database/vulnerability/wpforms/wordpress-wpforms-pro-plugin-1-8-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3574 – WPForms Pro < 1.7.7 - CSV Injection
https://notcve.org/view.php?id=CVE-2022-3574
The WPForms Pro WordPress plugin before 1.7.7 does not validate its form data when generating the exported CSV, which could lead to CSV injection. El complemento de WordPress WPForms Pro anterior a 1.7.7 no valida los datos de su formulario al generar el CSV exportado, lo que podría provocar una inyección de CSV. The WPForms Pro plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.7.6. This allows attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. • https://wpscan.com/vulnerability/0eae5189-81af-4344-9e96-dd1f4e223d41 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •