Contact Form & Lead Form Elementor Builder < 1.7.0 – Multiple Admin+ Stored Cross-Site Scripting | CVE 2022-23179 | Plugin Vulnerabilities

Description

The plugin does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Create/Edit a form and put the following payload in a Filed Name or Default Value; "style=animation-name:rotation onanimationstart=alert(/XSS/)// yo="

Affects Plugins

lead-form-builder

Fixed in 1.7.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Yoru Oni

Submitter

Yoru Oni

Submitter website

https://profiles.wordpress.org/yoruoni/

Verified

Yes

WPVDB ID

90b8af99-e4a1-4076-99fa-efe805dd4be4

Timeline

Publicly Published

2022-01-05 (about 2 years ago)

Added

2022-02-01 (about 2 years ago)

Last Updated

2022-04-13 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

Events Manager Extended - Stored XSS

Published

2023-03-14

Title

Easy Event calendar <= 1.0 - Admin+ Stored XSS

Published

2024-03-26

Title

WP-Lister Lite for Amazon < 2.6.12 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2023-01-23

Title

Spotlight Social Feeds < 1.4.3 - Contributor+ Stored XSS

Published

2019-02-16

Title

Launcher: Coming Soon & Maintenance Mode <= 1.0.10 - Multiple Stored XSS