CVE-2024-6703

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-6703
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ and 'btn_txt' parameters in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for attackers with the Form Manager permissions and Subscriber+ user role, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

4.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FluentConversational/Classes/Elements/WelcomeScreen.php
https://plugins.trac.wordpress.org/changeset/3125227/
https://www.wordfence.com/threat-intel/vulnerabilities/id/69dc9236-8079-434f-b2b5-060a0c5eba46?source=cve
Configurations

No configuration.

History

29 Jul 2024, 14:12

Type Values Removed Values Added
Summary
  • (es) El complemento Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder para WordPress es vulnerable a Cross Site Scripting almacenado a través de los parámetros 'description' y 'btn_txt' en todas las versiones hasta la 5.1 incluida. .19 debido a una sanitización de la entrada y escape de salida insuficientes. Esto hace posible que los atacantes con permisos de Administrador de formularios y rol de usuario Suscriptor+ inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada.

27 Jul 2024, 13:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-07-27 13:15

Updated : 2024-07-29 14:12

NVD link : CVE-2024-6703

Mitre link : CVE-2024-6703

CVE.ORG link : CVE-2024-6703

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')