CVE-2024-3053 — Cross-site Scripting in Forminator

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

CNA6.4VulnCheck6.4

EPSS

0.1%

top 67.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Incsub Forminator

Timeline

PublishedApr 9

Description

The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ forminator_form shortcode attribute in versions up to, and including, 1.29.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

▶NVDincsub/forminator< 1.29.3

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-jfx7-45mm-rw3j: The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ formi↗2024-04-09

▶

CVEList

Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.29.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via forminator_form Shortcode↗2024-04-09

▶

VulnCheck

Forminator Contact Form, Payment Form & Custom Form Builder plugin for WordPress Stored Cross Site Scripting Vulnerability↗2024

▶