Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-20192

CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

6.1MEDIUM

EPSS

28.7%

top 3.46%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Strategy11 Formidable Form Builder

Timeline

PublishedOct 16

Description

The Formidable Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters submitted during form entries like 'after_html' in versions before 2.05.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute in a victim's browser.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.7

Affected Packages1 packages

▶NVDstrategy11/formidable_form_builder< 2.05.03

🔴Vulnerability Details

CVEList

Formidable Form Builder < 2.05.03 - Unauthenticated Stored Cross-Site Scripting↗2024-10-16

▶

GHSA

GHSA-25w9-jxhc-6r43: The Formidable Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters submitted during form entries li↗2024-10-16

▶

VulnCheck

Formidable Form Builder plugin for WordPress after_html Stored Cross-Site Scripting Vulnerability↗2017

▶

💥Exploits & PoCs

Nuclei

Formidable Forms < 2.05.02 - Cross-Site Scripting

▶