CformsII Stored XSS Vulnerability
CVE-2024-22149

7.1HIGH

Key Information:

Vendor: WordPress
Status: Cformsii
Vendor: CVE Published:; 27 March 2024

What is CVE-2024-22149?

The vulnerability presents an improper neutralization of input during web page generation, commonly known as a Cross-site Scripting (XSS) flaw. This issue allows attackers to store malicious scripts within the CformsII plugin, impacting user interactions and data integrity. Users who load a compromised page may inadvertently execute these scripts, leading to unauthorized access to sensitive information and potentially compromising entire web applications. All versions of CformsII from its inception up to 15.0.5 are affected, necessitating immediate attention to safeguard web applications utilizing this plugin.

Affected Version(s)

CformsII <= 15.0.5

References

https://patchstack.com/database/vulnerability/cforms2/wor...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2024
Vulnerability Reserved
Jan 5, 2024

Credit

emad (Patchstack Alliance)