CVE-2021-24705

Summary

The NEX-Forms WordPress plugin before 8.4.3 does not have CSRF checks in place when editing a form, and does not escape some of its settings as well as form fields before outputting them in attributes. This could allow attackers to make a logged in admin edit arbitrary forms with Cross-Site Scripting payloads in them

Affected Software

VendorProductVersion RangeStatus
UnknownNEX-Forms0 < 8.4.3affected

Weaknesses

  • CWE-79 Cross-Site Scripting (XSS)
  • CWE-352 Cross-Site Request Forgery (CSRF)

ADP Enrichment

CVE Program Container

Additional References

References