CVE-2017-20192

The Formidable Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters submitted during form entries like 'after_html' in versions before 2.05.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute in a victim's browser.

CVSS v3 8.3 HIGH

8.3^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://klikki.fi/adv/formidable.html
https://wordpress.org/plugins/formidable/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/900fcaab-2424-4ae8-af18-95659db0dbe3?source=cve

Configurations

No configuration.

History

16 Oct 2024, 16:38

Type	Values Removed	Values Added
Summary		(es) El complemento Formidable Form Builder para WordPress es vulnerable a cross-site scripting almacenado a través de múltiples parámetros enviados durante las entradas de formularios, como 'after_html' en versiones anteriores a la 2.05.03, debido a una desinfección de entrada y un escape de salida insuficientes. Esto permite que atacantes no autenticados inyecten secuencias de comandos web arbitrarias que se ejecutan en el navegador de la víctima.

16 Oct 2024, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-16 07:15

Updated : 2024-10-16 16:38

NVD link : CVE-2017-20192

Mitre link : CVE-2017-20192

CVE.ORG link : CVE-2017-20192

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

8.3 /10