CVE-2021-24884 — Cross-site Scripting in Formidable Form Builder

CWE-79 — Cross-site Scripting CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

9.6CRITICALNVD

EPSS

19.2%

top 4.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Strategy11 Formidable Form Builder

Timeline

PublishedOct 25

Latest updateMay 24

Description

The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like ,,, and.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the "data-frmverify" tag for links in the web-based entry inspection page of affected systems. A …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages1 packages

▶NVDstrategy11/formidable_form_builder< 4.09.05

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-h6gj-jhrr-g634: The Formidable Form Builder WordPress plugin before 4↗2022-05-24

▶

CVEList

Formidable Form Builder < 4.09.05 - Unauthenticated Stored Cross-Site Scripting↗2021-10-25

▶