WordPress Happyforms Plugin <= 1.25.9 is vulnerable to Cross Site Scripting (XSS)
CVE-2023-48752

7.1HIGH

Key Information:

Vendor: WordPress
Status: Form Builder To Get In Touch With Visitors, Grow Your Email List And Collect Payments — Happyforms
Vendor: CVE Published:; 30 November 2023

What is CVE-2023-48752?

An improper neutralization of input during web page generation allows for a reflected Cross-Site Scripting vulnerability within the Happyforms plugin. This flaw enables attackers to inject malicious scripts that can be executed in the context of users visiting affected web pages. The vulnerability compromises user data and can lead to unauthorized actions, affecting any installation of Happyforms Form Builder from an unknown version up to 1.25.9. Proper input sanitization is essential to mitigate the threat posed by this vulnerability.

Affected Version(s)

Form builder to get in touch with visitors, grow your email list and collect payments — Happyforms <= 1.25.9

References

https://patchstack.com/database/vulnerability/happyforms/...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 30, 2023
Vulnerability Reserved
Nov 18, 2023

Credit

Le Ngoc Anh (Patchstack Alliance)