NEX-Forms < 8.3.3 – Contributor+ Stored XSS | CVE 2023-0272 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

1. Add a form
2. Insert the following payload in a page/post: [NEXForms id='1' open_trigger='popup' backdrop='" style="height:100%;display:block!important;" onmouseover="alert(1)"']

Affects Plugins

nex-forms-express-wp-form-builder

Fixed in 8.3.3

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

047b50c0-0eb3-4371-9e5d-3778fdafc66b

Timeline

Publicly Published

2023-02-28 (about 1 years ago)

Added

2023-02-28 (about 1 years ago)

Last Updated

2023-03-16 (about 1 years ago)

Other

Published

Title

Published

2024-04-23

Title

Ultimate Blocks < 3.1.7 - Contributor+ Stored XSS

Published

2015-04-21

Title

WordPress 3.9-4.1.1 - Same-Origin Method Execution

Published

2022-12-22

Title

3D FlipBook < 1.13.3 - Contributor+ Stored XSS

Published

2021-04-23

Title

Select All Categories and Taxonomies < 1.3.2 - Reflected Cross-Site Scripting (XSS)

Published

2021-07-17

Title

iQ Block Country < 1.2.12 - Admin+ Stored Cross-Site Scripting