PT-2024-11503 · WordPress · The Super Forms - Drag & Drop Form Builder
Koutrouss Naddara
·
Published
2024-01-16
·
Updated
2024-01-22
·
CVE-2022-0402
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
The Super Forms - Drag & Drop Form Builder WordPress plugin versions prior to 6.0.4
Description
The issue is related to a Reflected Cross-Site Scripting problem. The
bob czy panstwa sprawa zostala rozwiazana parameter is not properly escaped before being outputted in an attribute via the "super language switcher" AJAX action. This action also lacks CSRF protection, making it easier for attackers to target any user.Recommendations
For versions prior to 6.0.4, update to version 6.0.4 or later to resolve the issue.
As a temporary workaround, consider restricting access to the "super language switcher" AJAX action until a patch is applied.
Avoid using the
bob czy panstwa sprawa zostala rozwiazana parameter in the affected AJAX endpoint until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
The Super Forms - Drag & Drop Form Builder