CVE-2024-6520

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset/3125227/
https://wordpress.org/plugins/fluentform/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/0a30d35c-9883-4b0f-83a2-494401c45d8e?source=cve

Configurations

No configuration.

History

29 Jul 2024, 14:12

Type	Values Removed	Values Added
Summary		(es) El complemento Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder para WordPress es vulnerable a Cross Site Scripting almacenado en todas las versiones hasta la 5.1.19 incluida debido a una sanitización de entrada y un escape de salida insuficientes . Esto hace posible que atacantes autenticados, con acceso de nivel de administrador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada.

Information

Published : 2024-07-27 12:15

Updated : 2024-07-29 14:12

NVD link : CVE-2024-6520

Mitre link : CVE-2024-6520

CVE.ORG link : CVE-2024-6520

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.5 /10