CVE-2024-7691: Unauthenticated Stored XSS in Flaming Forms <= 1.0.1

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Plugin Name: Flaming Forms <= 1.0.1 2. Vulnerability Type: Unauthenticated Stored XSS 3. Description: The plugin does not sanitize or escape certain parameters, allowing unauthenticated users to perform cross-site scripting attacks against administrators. 4. Proof of Concept: - Step 1: As an administrator, add a contact form. - Step 2: As an unauthenticated user, input the payload into any field of the contact form and submit it. - Step 3: As an administrator, view the submitted form and observe the XSS execution. 5. Affected Plugin: flaming-forms 6. References: - CVE ID: CVE-2024-7691 7. Classification: - Type: XSS - OWASP Top 10: A7: Cross-Site Scripting (XSS) - CWE ID: CWE-79 8. Additional Information: - Original Researcher: Bob Matyas - Submitter: Bob Matyas - Submitter Website: https://www.bobmatyas.com - Submitter Twitter: bobmatyas - Verified: Yes - WPVDB ID: d30a3b95-5d1f-4755-8b61-19946afc51ef - Publication Date: 2024-08-12 - Added Date: 2024-08-13 - Last Updated Date: 2024-08-13 - Related Vulnerabilities: - PowerPress Podcasting < 6.0.5 - Authenticated Cross-Site Scripting (XSS) - Afterpay Gateway for WooCommerce < 3.2.1 - Reflected Cross-Site Scripting - Pagination by BestWebSoft < 1.2.3 - Admin+ Stored XSS - AnsPress - Question and answer < 4.3.2 - Editor+ Stored XSS - Ultimate Blocks < 3.1.7 - Contributor+ Stored XSS This information provides a detailed description of the vulnerability, steps to exploit it, the affected plugin, and a list of related vulnerabilities.

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2024-7691: Unauthenticated Stored XSS in Flaming Forms <= 1.0.1

More from this source