WordPress Plugin Vulnerabilities

MW WP Form < 5.1.0 - Editor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting in versions up to due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
mw-wp-form
Fixed in 5.1.0

References

CVE
CVE-2024-24804
URL
https://patchstack.com/database/vulnerability/mw-wp-form/wordpress-mw-wp-form-plugin-5-0-6-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Huynh Tien Si
Verified
No
WPVDB ID
95ae5adc-ec77-44d2-a1bb-27f1fec5cc19

Timeline

Publicly Published
2024-01-31 (about 3 months ago)
Added
2024-02-06 (about 3 months ago)
Last Updated
2024-03-13 (about 1 months ago)

Other

Published
Title
Published
2022-08-22
Title
WP Taxonomy Import <= 1.0.4 - Reflected Cross-Site Scripting
Published
2024-03-25
Title
Dropdown Multisite selector < 0.9.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Published
2023-10-27
Title
PubyDoc <= 2.0.6 - Admin+ Stored XSS
Published
2023-05-22
Title
MailChimp Subscribe Forms < 4.0.9.2 - Admin+ Stored XSS
Published
2023-03-28
Title
MS-Reviews <= 1.5 - Subscriber+ Stored XSS