Joel Indra

**Name of the Vulnerable Software and Affected Versions** The Smart Forms versions up to, and including, 2.6.98 **Description** The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For versions up to, and including, 2.6.98, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to admin settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Survey Maker plugin for WordPress versions up to, and including, 5.1.3.3 **Description** The issue is related to Stored Cross-Site Scripting via the `ays sections[5][questions][8][title]` parameter due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For versions up to, and including, 5.1.3.3, update to a version later than 5.1.3.3 to resolve the issue. As a temporary workaround, consider restricting access to the `ays sections[5][questions][8][title]` parameter to minimize the risk of exploitation. Additionally, ensure that unfiltered html is enabled and restrict administrator-level access to trusted users only.

Name of the Vulnerable Software and Affected Versions: The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress versions up to, and including, 1.15.27 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with Administrator-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Recommendations: For versions up to, and including, 1.15.27, update to a version higher than 1.15.27 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ninja Forms versions 3.8.11 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS attacks. **Recommendations** For versions 3.8.11 and earlier, update to a version later than 3.8.11 to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress versions up to, and including, 5.1.19 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with Administrator-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 5.1.19, update to a version higher than 5.1.19 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress versions up to, and including, 5.1.19 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with Administrator-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 5.1.19, update to a version higher than 5.1.19 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress versions up to, and including, 5.1.19 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with Administrator-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 5.1.19, update to a version higher than 5.1.19 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Form Maker by 10Web versions 1.15.23 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker can inject malicious scripts into the website, potentially leading to unauthorized access or data theft. **Recommendations** For versions 1.15.23 and earlier, update to a version later than 1.15.23 to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Darko Top Bar versions 3.0.5 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker can inject malicious scripts into the website, potentially affecting users who visit the site. **Recommendations** For WP Darko Top Bar versions 3.0.5 and earlier, update to a version later than 3.0.5 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Contact Forms by Cimatti versions 1.8.0 and earlier **Description** The issue is related to improper neutralization of input during web page generation, also known as Cross-site Scripting. This allows for Stored XSS. **Recommendations** For versions 1.8.0 and earlier, update to a version that contains a fix for this issue, as the current version is affected by the Stored XSS vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WPFront Notification Bar versions 3.3.2 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker can inject malicious scripts into the website, potentially leading to unauthorized access or other security issues. **Recommendations** For versions 3.3.2 and earlier, update to a version later than 3.3.2 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Survey Maker versions through 4.0.5 **Description** The issue is related to improper neutralization of input during web page generation, which allows stored cross-site scripting (XSS). This means that an attacker can inject malicious scripts into the web page, potentially leading to unauthorized actions or data theft. **Recommendations** For versions through 4.0.5, update to a version later than 4.0.5 to resolve the issue. At the moment, there is no information about additional mitigation measures for this specific issue.