CVE-2022-1046

CWE-79Cross-site Scripting (XSS)CWE-476NULL Pointer DereferenceCWE-401Memory Leak5 documents4 sources
Severity
4.8MEDIUM
EPSS
0.2%
top 57.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Visual Form BuilderVfbpro Visual Form Builder
Timeline
PublishedMay 2
Latest updateSep 18

Description

The Visual Form Builder WordPress plugin before 3.0.7 does not sanitise and escape the form's 'Email to' field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/visual_form_builder3.0.73.0.7

🔴Vulnerability Details

2
GHSA
GHSA-fmjq-pj33-mxhg: The Visual Form Builder WordPress plugin before 32022-05-03
CVEList
Visual Form Builder < 3.0.7 - Admin+ Stored Cross-Site Scripting2022-05-02

📋Vendor Advisories

1
Red Hat
kernel: net: sched: fix memory leak in tcindex_set_parms2025-09-18
CVE-2022-1046 (MEDIUM CVSS 4.8) | The Visual Form Builder WordPress p | cvebase.io