6.1
CVE-2022-23988
- EPSS 2.2%
- Veröffentlicht 28.02.2022 09:15:09
- Zuletzt bearbeitet 21.11.2024 06:49:36
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginWS Form < 1.8.176 - Unauthenticated Stored Cross-Site Scripting
WS Form LITE and WS Form Pro < 1.8.176 - Stored Cross-Site Scripting
The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission
Mögliche Gegenmaßnahme
WS Form LITE – Drag & Drop Contact Form Builder: Update to version 1.8.176, or a newer patched version
WS Form Pro: Update to version 1.8.176, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Westguardsolutions ≫ Ws Form SwEditionlite SwPlatformwordpress Version < 1.8.176
Westguardsolutions ≫ Ws Form SwEditionpro SwPlatformwordpress Version < 1.8.176
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
WS Form LITE – Drag & Drop Contact Form Builder
Version
[*, 1.8.176)
SystemWordPress Plugin
≫
Produkt
WS Form Pro
Version
[*, 1.8.176)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.2% | 0.802 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6
https://www.wordfence.com/threat-intel/vulnerabilities/id/c2990ed9-061e-4d35-aae0-99282a4f3737