Description

The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfiltered_html is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue.

Related CPE's

a

planso

planso_forms

*

*

*

*

*

wordpress

Vulnerable

References

https://wpscan.com/vulnerability/88d70e35-4c22-4bc7-b1a5-24068d55257c

ExploitThird Party Advisory

https://wpscan.com/vulnerability/88d70e35-4c22-4bc7-b1a5-24068d55257c

ExploitThird Party Advisory

Weaknesses

[email protected]

Secondary
CWE-79

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

4.8 · Medium

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2021-10-18T12:15:09.080Z

4 years ago

Last modified

2024-11-21T04:53:13.130Z

1 year ago