Filtered by vendor Incsub
Subscribe
Total
13 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-36821 | 1 Incsub | 1 Forminator | 2024-04-29 | N/A | 6.1 MEDIUM |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV Forminator – Contact Form, Payment Form & Custom Form Builder allows Stored XSS.This issue affects Forminator – Contact Form, Payment Form & Custom Form Builder: from n/a through 1.14.11. | |||||
CVE-2023-5119 | 1 Incsub | 1 Forminator | 2024-02-05 | N/A | 4.8 MEDIUM |
The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup). | |||||
CVE-2023-6133 | 1 Incsub | 1 Forminator | 2024-02-05 | N/A | 4.9 MEDIUM |
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed. | |||||
CVE-2023-3134 | 1 Incsub | 1 Forminator | 2024-02-05 | N/A | 6.1 MEDIUM |
The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks. | |||||
CVE-2023-2010 | 1 Incsub | 1 Forminator | 2024-02-04 | N/A | 3.1 LOW |
The Forminator WordPress plugin before 1.24.1 does not use an atomic operation to check whether a user has already voted, and then update that information. This leads to a Race Condition that may allow a single user to vote multiple times on a poll. | |||||
CVE-2021-4417 | 1 Incsub | 1 Forminator | 2024-02-04 | N/A | 4.3 MEDIUM |
The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4. This is due to missing or incorrect nonce validation on the listen_for_saving_export_schedule() function. This makes it possible for unauthenticated attackers to export form submissions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
CVE-2022-0994 | 1 Incsub | 1 Hummingbird | 2024-02-04 | 3.5 LOW | 4.8 MEDIUM |
The Hummingbird WordPress plugin before 3.3.2 does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
CVE-2021-24700 | 1 Incsub | 1 Forminator | 2024-02-04 | 3.5 LOW | 4.8 MEDIUM |
The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | |||||
CVE-2018-18576 | 1 Incsub | 1 Hustle | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
The Hustle (aka wordpress-popup) plugin through 6.0.5 for WordPress allows Directory Traversal to obtain a directory listing via the views/admin/dashboard/ URI. | |||||
CVE-2015-9455 | 1 Incsub | 1 Buddypress-activity-plus | 2024-02-04 | 7.8 HIGH | 8.1 HIGH |
The buddypress-activity-plus plugin before 1.6.2 for WordPress has CSRF with resultant directory traversal via the wp-admin/admin-ajax.php bpfb_photos[] parameter in a bpfb_remove_temp_images action. | |||||
CVE-2019-11872 | 1 Incsub | 1 Hustle | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator's computer through Excel functions as the plugin does not sanitize the user's input and allows insertion of any text. | |||||
CVE-2019-9568 | 1 Incsub | 1 Forminator | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/admin.php?page=forminator-entries entry[] parameter if the attacker has the delete permission. | |||||
CVE-2019-9567 | 1 Incsub | 1 Forminator | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a poll. |