WS Form < 1.8.176 - Unauthenticated Stored Cross-Site Scripting
CVE-2022-23988

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Ws Form Lite – Drag & Drop Contact Form Builder For WordPress; Ws Form Pro
Vendor: CVE Published:; 28 February 2022

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 14%

What is CVE-2022-23988?

The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission

Affected Version(s)

WS Form LITE – Drag & Drop Contact Form Builder for WordPress 1.8.176

WS Form Pro 1.8.176

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

WebSecurityProject
Created by simonepetruzzi

References

https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-...

x_refsource_MISC

EPSS Score

14% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Oct 12, 2023
👾
Exploit known to exist
Oct 12, 2023
Vulnerability published
Feb 28, 2022
Vulnerability Reserved
Jan 26, 2022

Credit

Felipe Restrepo Rodriguez

Wordpress