PT-2022-13454 · WordPress · Form Builder
Chiragh Arora
·
Published
2022-04-04
·
Updated
2022-06-03
·
CVE-2022-0830
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
FormBuilder WordPress plugin versions 1.08 and earlier
Description
The issue concerns the lack of CSRF checks when creating, updating, and deleting forms, as well as insufficient sanitization and escaping of form field values. This allows attackers to perform CSRF attacks, making logged-in admins update and delete arbitrary forms, and inject Cross-Site Scripting payloads.
Recommendations
For versions 1.08 and earlier, update to a version that includes CSRF checks and proper sanitization and escaping of form field values.
As a temporary workaround, consider restricting access to form creation, update, and deletion functionality to minimize the risk of exploitation.
Exploit
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Form Builder