CVE-2022-1564 — Cross-site Scripting in Form Maker

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

4.8MEDIUMNVD

EPSS

0.2%

top 57.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

10web Form Maker

Timeline

PublishedMay 30

Latest updateMay 31

Description

The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages1 packages

▶NVD10web/form_maker1.14.12

🔴Vulnerability Details

GHSA

GHSA-w3pj-w5x9-5wrh: The Form Maker by 10Web WordPress plugin before 1↗2022-05-31

▶

CVEList

Form Maker By 10Web < 1.14.12 - Admin+ Stored Cross-Site Scripting↗2022-05-30

▶