Stored Cross-Site Scripting Vulnerability in Flo Forms Plugin for WordPress
CVE-2021-4367

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Flo Forms – Easy Drag & Drop Form Builder
Vendor: CVE Published:; 7 June 2023

What is CVE-2021-4367?

The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress allows authenticated attackers, including subscribers, to exploit stored Cross-Site Scripting due to inadequate input sanitization and output escaping. By leveraging the flo_import_forms_options AJAX action, attackers can inject malicious scripts into pages that execute when users access the tainted pages, potentially compromising user data and enabling further exploitation.

Affected Version(s)

Flo Forms – Easy Drag & Drop Form Builder * <= 1.0.35

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://blog.nintechnet.com/zero-day-vulnerability-fixed-...

https://wpscan.com/vulnerability/b4a83501-c727-4c9b-a9a1-...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 7, 2023
Vulnerability Reserved
Jun 6, 2023

Credit

Jerome Bruandet