CVE-2024-13509

Name of the Vulnerable Software and Affected Versions WS Form LITE – Drag & Drop Contact Form Builder for WordPress versions prior to 1.10.14

Description The issue concerns Stored Cross-Site Scripting via the url parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Recommendations For versions prior to 1.10.14, update to version 1.10.14 to fully resolve the issue. As a temporary workaround, consider restricting access to the url parameter in the affected plugin until a patch is applied.