Stored Cross-Site Scripting in Easy Form Builder for WordPress
CVE-2024-12112

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Easy Form Builder – WordPress Plugin Form Builder: Contact Form, Survey Form, Payment Form, And Custom Form Builder
Vendor: CVE Published:; 8 January 2025

Summary

The Easy Form Builder plugin for WordPress suffers from a stored cross-site scripting vulnerability due to inadequate input sanitization and output escaping. Attackers with Subscriber-level access or higher can exploit this flaw by injecting malicious scripts through the 'name' parameter of the 'add_form_Emsfb' AJAX action. This can lead to arbitrary web scripts executing on pages viewed by unsuspecting users, posing significant security risks. It is critical for users of the plugin to upgrade to the latest version or apply available patches to protect their sites from potential exploitation.

Affected Version(s)

Easy Form Builder – WordPress plugin form builder: contact form, survey form, payment form, and custom form builder * <= 3.8.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3215764/easy...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 8, 2025
Vulnerability Reserved
Dec 3, 2024

Credit

Noah Stead