FormBuilder <= 1.08 - Stored Cross-Site Scripting via CSRF

The FormBuilder WordPress plugin through 1.08 does not have CSRF checks in place when creating/updating and deleting forms, and does not sanitise as well as escape its form field values. As a result, attackers could make logged in admin update and delete arbitrary forms via a CSRF attack, and put Cross-Site Scripting payloads in them.

N/A

跨站请求伪造(CSRF)

WordPress和WordPress plugin 跨站请求伪造漏洞

WordPress是Wordpress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是WordPress开源的一个应用插件。 WordPress plugin FormBuilder存在跨站请求伪造漏洞，该漏洞源于在创建/更新和删除表单时没有进行CSRF检查，也没有对表单字段值进行清理和转义。因此，攻击者可以通过CSRF攻击进行登录管理更新和删除任意表单，并将跨站点脚本有效负载放入其中。

N/A

N/A