Unauthenticated Attackers Can Trick Users into Injecting Arbitrary Web Scripts via Reflected Cross-Site Scripting
CVE-2024-9613

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Formfacade – WordPress Plugin For Google Forms
Vendor: CVE Published:; 26 October 2024

Summary

The FormFacade plugin for Google Forms in WordPress presents a vulnerability related to reflected cross-site scripting (XSS) through the 'userId' and 'publishId' parameters. This issue arises from inadequate input sanitization and output escaping methods in all versions up to and including 1.3.6. As a result, unauthenticated attackers have the potential to exploit this vulnerability to inject arbitrary web scripts. Such scripts may execute in the context of the user’s session if the target is lured into clicking a malicious link. It is crucial for users of the affected plugin to take preventative measures, such as updating to a secure version and implementing proper web security practices.

Affected Version(s)

FormFacade – WordPress plugin for Google Forms * <= 1.3.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/formfacade/tru...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 26, 2024
Vulnerability Reserved
Oct 7, 2024

Credit

Dale Mavers