Описание
The NEX-Forms WordPress plugin before 8.4.3 does not have CSRF checks in place when editing a form, and does not escape some of its settings as well as form fields before outputting them in attributes. This could allow attackers to make a logged in admin edit arbitrary forms with Cross-Site Scripting payloads in them
Ссылки
- ExploitThird Party Advisory
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 7.9.4 (включая)
cpe:2.3:a:basixonline:nex-forms:*:*:*:*:*:wordpress:*:*
EPSS
Процентиль: 27%
0.00097
Низкий
4.8 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
Связанные уязвимости
CVSS3: 4.8
github
около 4 лет назад
The NEX-Forms WordPress plugin through 7.9.4 does not escape some of its settings and form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
EPSS
Процентиль: 27%
0.00097
Низкий
4.8 Medium
CVSS3
3.5 Low
CVSS2