Description

The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfiltered_html is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue.

Related CPE's

a

planso

planso_forms

*

*

*

*

*

wordpress

Vulnerable

References

https://wpscan.com/vulnerability/88d70e35-4c22-4bc7-b1a5-24068d55257c

ExploitThird Party Advisory

Weaknesses

[email protected]

Primary
CWE-79

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

4.8 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2021-10-18T14:15:09.080

3 years ago

Last modified

2021-10-21T19:24:16.603

3 years ago