Form Builder CP < 1.2.32 – Admin+ Stored Cross-Site Scripting | CVE 2022-2567

Description

The plugin does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

Create/edit a form and put the following payload in the Form name settings: "><script>alert(/XSS/)</script>

Affects Plugins

cp-easy-form-builder

Fixed in 1.2.32

References

CVE

CVE-2022-2567

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.4 (low)

Miscellaneous

Original Researcher

Chinmay Vishwas Divekar

Submitter

Chinmay Vishwas Divekar

Submitter twitter

th3lonewolf1

Verified

Yes

WPVDB ID

dfa21dde-a9fc-4a35-9602-c3fde907ca54

Timeline

Publicly Published

2022-08-29 (about 1 years ago)

Added

2022-08-29 (about 1 years ago)

Last Updated

2022-08-29 (about 1 years ago)

Other

Published

Title

Published

2023-01-19

Title

Amr Shortcode Any Widget <= 4.0 - Contributor+ Stored XSS

Published

2021-04-21

Title

Woocommerce < 5.2.0 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2020-02-25

Title

Photo Gallery < 1.5.46 - Multiple Cross-Site Scripting (XSS) Issues

Published

2024-01-30

Title

Click To Tweet <= 2.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-12-27

Title

Easy Social Feed – Social Photos Gallery – Post Feed – Like Box < 6.4.0 - Contributor+ Stored XSS