Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for WS Form LITE – Drag & Drop Contact Form Builder for WordPress by WS Form

    CVE-2023-52135 (GCVE-0-2023-52135)

    Vulnerability from nvd – Published: 2023-12-29 10:09 – Updated: 2026-04-28 16:09
    VLAI
    Title
    WordPress WS Form LITE Plugin <= 1.9.170 is vulnerable to SQL Injection
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WS Form WS Form LITE – Drag & Drop Contact Form Builder for WordPress.This issue affects WS Form LITE – Drag & Drop Contact Form Builder for WordPress: from n/a through 1.9.170.
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Credits
    Muhammad Daffa (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:48:12.530Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/ws-form/wordpress-ws-form-lite-drag-drop-contact-form-builder-for-wordpress-plugin-1-9-170-sql-injection-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "ws-form",
              "product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
              "vendor": "WS Form",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.9.171",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.9.170",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Muhammad Daffa (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in WS Form WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress.\u003cp\u003eThis issue affects WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress: from n/a through 1.9.170.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in WS Form WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress.This issue affects WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress: from n/a through 1.9.170."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:05.164Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/ws-form/wordpress-ws-form-lite-drag-drop-contact-form-builder-for-wordpress-plugin-1-9-170-sql-injection-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to\u00a01.9.171 or a higher version."
                }
              ],
              "value": "Update to\u00a01.9.171 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress WS Form LITE Plugin \u003c= 1.9.170 is vulnerable to SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2023-52135",
        "datePublished": "2023-12-29T10:09:42.451Z",
        "dateReserved": "2023-12-28T11:39:21.210Z",
        "dateUpdated": "2026-04-28T16:09:05.164Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-23988 (GCVE-0-2022-23988)

    Vulnerability from nvd – Published: 2022-02-28 09:07 – Updated: 2024-08-03 03:59
    VLAI
    Title
    WS Form < 1.8.176 - Unauthenticated Stored Cross-Site Scripting
    Summary
    The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    Felipe Restrepo Rodriguez
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:59:23.357Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
              "vendor": "WS Form",
              "versions": [
                {
                  "lessThan": "1.8.176",
                  "status": "affected",
                  "version": "1.8.176",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "WS Form Pro",
              "vendor": "WS Form",
              "versions": [
                {
                  "lessThan": "1.8.176",
                  "status": "affected",
                  "version": "1.8.176",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Felipe Restrepo Rodriguez"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-28T09:07:03.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WS Form \u003c 1.8.176 - Unauthenticated Stored Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-23988",
              "STATE": "PUBLIC",
              "TITLE": "WS Form \u003c 1.8.176 - Unauthenticated Stored Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.8.176",
                                "version_value": "1.8.176"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "WS Form Pro",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.8.176",
                                "version_value": "1.8.176"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "WS Form"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Felipe Restrepo Rodriguez"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-23988",
        "datePublished": "2022-02-28T09:07:03.000Z",
        "dateReserved": "2022-01-26T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:59:23.357Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-23987 (GCVE-0-2022-23987)

    Vulnerability from nvd – Published: 2022-02-28 09:07 – Updated: 2024-08-03 03:59
    VLAI
    Title
    WS Form < 1.8.176 - Admin+ Stored Cross-Site Scripting
    Summary
    The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    Felipe Restrepo Rodriguez
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:59:23.262Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
              "vendor": "WS Form",
              "versions": [
                {
                  "lessThan": "1.8.176",
                  "status": "affected",
                  "version": "1.8.176",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "WS Form Pro",
              "vendor": "WS Form",
              "versions": [
                {
                  "lessThan": "1.8.176",
                  "status": "affected",
                  "version": "1.8.176",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Felipe Restrepo Rodriguez"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-28T09:07:01.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WS Form \u003c 1.8.176 - Admin+ Stored Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-23987",
              "STATE": "PUBLIC",
              "TITLE": "WS Form \u003c 1.8.176 - Admin+ Stored Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.8.176",
                                "version_value": "1.8.176"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "WS Form Pro",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.8.176",
                                "version_value": "1.8.176"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "WS Form"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Felipe Restrepo Rodriguez"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-23987",
        "datePublished": "2022-02-28T09:07:01.000Z",
        "dateReserved": "2022-01-26T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:59:23.262Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-52135 (GCVE-0-2023-52135)

    Vulnerability from cvelistv5 – Published: 2023-12-29 10:09 – Updated: 2026-04-28 16:09
    VLAI
    Title
    WordPress WS Form LITE Plugin <= 1.9.170 is vulnerable to SQL Injection
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WS Form WS Form LITE – Drag & Drop Contact Form Builder for WordPress.This issue affects WS Form LITE – Drag & Drop Contact Form Builder for WordPress: from n/a through 1.9.170.
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Credits
    Muhammad Daffa (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:48:12.530Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/ws-form/wordpress-ws-form-lite-drag-drop-contact-form-builder-for-wordpress-plugin-1-9-170-sql-injection-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "ws-form",
              "product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
              "vendor": "WS Form",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.9.171",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.9.170",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Muhammad Daffa (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in WS Form WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress.\u003cp\u003eThis issue affects WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress: from n/a through 1.9.170.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in WS Form WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress.This issue affects WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress: from n/a through 1.9.170."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:05.164Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/ws-form/wordpress-ws-form-lite-drag-drop-contact-form-builder-for-wordpress-plugin-1-9-170-sql-injection-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to\u00a01.9.171 or a higher version."
                }
              ],
              "value": "Update to\u00a01.9.171 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress WS Form LITE Plugin \u003c= 1.9.170 is vulnerable to SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2023-52135",
        "datePublished": "2023-12-29T10:09:42.451Z",
        "dateReserved": "2023-12-28T11:39:21.210Z",
        "dateUpdated": "2026-04-28T16:09:05.164Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-23988 (GCVE-0-2022-23988)

    Vulnerability from cvelistv5 – Published: 2022-02-28 09:07 – Updated: 2024-08-03 03:59
    VLAI
    Title
    WS Form < 1.8.176 - Unauthenticated Stored Cross-Site Scripting
    Summary
    The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    Felipe Restrepo Rodriguez
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:59:23.357Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
              "vendor": "WS Form",
              "versions": [
                {
                  "lessThan": "1.8.176",
                  "status": "affected",
                  "version": "1.8.176",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "WS Form Pro",
              "vendor": "WS Form",
              "versions": [
                {
                  "lessThan": "1.8.176",
                  "status": "affected",
                  "version": "1.8.176",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Felipe Restrepo Rodriguez"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-28T09:07:03.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WS Form \u003c 1.8.176 - Unauthenticated Stored Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-23988",
              "STATE": "PUBLIC",
              "TITLE": "WS Form \u003c 1.8.176 - Unauthenticated Stored Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.8.176",
                                "version_value": "1.8.176"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "WS Form Pro",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.8.176",
                                "version_value": "1.8.176"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "WS Form"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Felipe Restrepo Rodriguez"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-23988",
        "datePublished": "2022-02-28T09:07:03.000Z",
        "dateReserved": "2022-01-26T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:59:23.357Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-23987 (GCVE-0-2022-23987)

    Vulnerability from cvelistv5 – Published: 2022-02-28 09:07 – Updated: 2024-08-03 03:59
    VLAI
    Title
    WS Form < 1.8.176 - Admin+ Stored Cross-Site Scripting
    Summary
    The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Impacted products
    Credits
    Felipe Restrepo Rodriguez
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:59:23.262Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
              "vendor": "WS Form",
              "versions": [
                {
                  "lessThan": "1.8.176",
                  "status": "affected",
                  "version": "1.8.176",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "WS Form Pro",
              "vendor": "WS Form",
              "versions": [
                {
                  "lessThan": "1.8.176",
                  "status": "affected",
                  "version": "1.8.176",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Felipe Restrepo Rodriguez"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-28T09:07:01.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WS Form \u003c 1.8.176 - Admin+ Stored Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-23987",
              "STATE": "PUBLIC",
              "TITLE": "WS Form \u003c 1.8.176 - Admin+ Stored Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.8.176",
                                "version_value": "1.8.176"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "WS Form Pro",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.8.176",
                                "version_value": "1.8.176"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "WS Form"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Felipe Restrepo Rodriguez"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-23987",
        "datePublished": "2022-02-28T09:07:01.000Z",
        "dateReserved": "2022-01-26T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:59:23.262Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }