CVE-2022-0402
6.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
The Super Forms - Drag & Drop Form Builder WordPress plugin before 6.0.4 does not escape the bob_czy_panstwa_sprawa_zostala_rozwiazana parameter before outputting it back in an attribute via the super_language_switcher AJAX action, leading to a Reflected Cross-Site Scripting. The action is also lacking CSRF, making the attack easier to perform against any user.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Unknown | Super Forms - Drag & Drop Form Builder | 0 < 6.0.4 | affected |
Weaknesses
- CWE-79 Cross-Site Scripting (XSS)
- CWE-352 Cross-Site Request Forgery (CSRF)
ADP Enrichment
CVE Program Container
Additional References
- https://wpscan.com/vulnerability/2e2e2478-2488-4c91-8af8-69b07783854f/
- https://github.com/RensTillmann/super-forms/commit/c19d65abbe43d9b6359c1bf3498dc697d0c19d02
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://wpscan.com/vulnerability/2e2e2478-2488-4c91-8af8-69b07783854f/
- https://github.com/RensTillmann/super-forms/commit/c19d65abbe43d9b6359c1bf3498dc697d0c19d02
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.