5.4
CVE-2023-0546
- EPSS 0.15%
- Veröffentlicht 10.04.2023 14:15:08
- Zuletzt bearbeitet 11.02.2025 21:15:10
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginFluentForms <= 4.3.24 - Authenticated(Contributor+) Stored Cross-Site Scripting
The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form.
Mögliche Gegenmaßnahme
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder: Update to version 4.3.25, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Version
*-4.3.24
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fluentforms ≫ Contact Form SwPlatformwordpress Version < 4.3.25
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.15% | 0.359 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|