Lucene search
Mohamed AzarudheenWPVDB-ID:229207BB-8F8D-4579-A8E2-54516474CCB4HistoryOct 27, 2023 - 12:00 a.m.
Forminator and Forminator Pro < 1.27.0 - Admin+ Stored Cross-Site Scripting
2023-10-2700:00:00
Mohamed Azarudheen
wpscan.com
11
forminator
forminator pro
cross-site scripting
sanitize
redirect
high-privilege users
administrator
unfiltered html
multisite setup
vulnerability
Description The plugin does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).
PoC
Select the “Redirect user to a URL” in the after submission behaviour, and use the following URL: javascript:alert(document.domain) The payload will trigger whenever anybody submits the form.
Related
wpexploit
wpexploit
Forminator and Forminator Pro < 1.27.0 - Admin+ Stored Cross-Site Scripting
2023-10-27 00:00:00
cve
cve
CVE-2023-5119
2023-11-20 19:15:09
prion
prion
Code injection
2023-11-20 19:15:00
openvas
openvas
WordPress Forminator Plugin < 1.27.0 XSS Vulnerability
2023-11-21 00:00:00
cvelist
cvelist
nvd
nvd
CVE-2023-5119
2023-11-20 19:15:09
AI Score
6.9
Confidence
High
EPSS
0
Percentile
14.0%
Related for WPVDB-ID:229207BB-8F8D-4579-A8E2-54516474CCB4