Stored Cross-Site Scripting Vulnerability in weForms Plugin
CVE-2024-0386

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Weforms – Easy Drag & Drop Contact Form Builder For WordPress
Vendor: CVE Published:; 12 March 2024

Summary

The weForms plugin for WordPress is exposed to a Stored Cross-Site Scripting (XSS) vulnerability due to a lack of proper input sanitization and output escaping associated with the 'Referer' HTTP header. This flaw exists in all versions of the weForms plugin up to and including version 1.6.21. If exploited, it allows unauthenticated attackers to inject malicious web scripts, which can execute whenever legitimate users access affected pages. This vulnerability can lead to the compromise of users' sessions and the integrity of the site's content, posing significant security risks for WordPress installations utilizing this plugin.

Affected Version(s)

weForms – Easy Drag & Drop Contact Form Builder For WordPress * <= 1.6.21

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 12, 2024
Vulnerability Reserved
Jan 9, 2024

Credit

Pedro Paniago