WordPress Plugin Vulnerabilities

Conversational Forms for ChatBot < 1.17 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape a form name, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
conversational-forms
Fixed in 1.17

References

CVE
CVE-2023-23981

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Rio Darmawan
Verified
No
WPVDB ID
ab7fc164-41b0-4064-8717-3ed027684aa0

Timeline

Publicly Published
2023-01-20 (about 1 years ago)
Added
2023-04-06 (about 1 years ago)
Last Updated
2023-04-06 (about 1 years ago)

Other

Published
Title
Published
2017-12-24
Title
Football Pool < 2.6.5 - Multiple XSS
Published
2023-12-27
Title
Themify Icons < 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-01-11
Title
WPFunnels < 2.6.9 - Contributor+ Stored XSS
Published
2014-08-01
Title
IFrame Admin Pages <= 0.1 - Cross Site Scripting
Published
2023-03-28
Title
Woocommerce Custom Checkout Fields Editor With Drag & Drop <= 0.1 - Reflected Cross-Site Scripting