cbcvebase.
CVE-2017-20192
published 2024-10-16

CVE-2017-20192: The Formidable Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters submitted during form entries like…

PriorityP180medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.00%
58.4th percentile
The Formidable Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters submitted during form entries like 'after_html' in versions before 2.05.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute in a victim's browser.

Affected

1 ranges
VendorProductVersion rangeFixed in
strategy11formidable_form_builder< 2.05.032.05.03

Detection & IOCsextracted from sources · hover to see the quote

other<img src=x onerror=alert(document.domain)
  • HTTP response status code is 200 and Content-Type header contains 'text/html' and body contains the XSS payload string '<img src=x onerror=alert(document.domain)' — indicative of a successful stored XSS injection via Formidable Form Builder plugin parameters such as 'after_html'.
  • ·Vulnerability affects Formidable Form Builder for WordPress versions before 2.05.03; unauthenticated attackers can inject via form entry parameters such as 'after_html'. Ensure detection covers unauthenticated POST requests to form submission endpoints.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck8.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.