Cross-Site Scripting Vulnerability in Contact Form, Survey, Quiz & Popup Form Builder by WordPress
CVE-2024-10504
5.4MEDIUM
What is CVE-2024-10504?
The Contact Form, Survey, Quiz & Popup Form Builder plugin for WordPress prior to version 1.7.1 contains a vulnerability that allows unauthenticated users to execute Cross-Site Scripting attacks. This occurs due to improper sanitization and escaping of parameters when rendering them on the page. Attackers could exploit this vulnerability to inject malicious scripts, potentially compromising user data and site integrity.
Affected Version(s)
Contact Form, Survey, Quiz & Popup Form Builder 0 < 1.7.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved
Credit
Malek Althubiany
WPScan