Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
8 vulnerabilities found for WS Form Pro by WS Form
CVE-2024-13509 (GCVE-0-2024-13509)
Vulnerability from nvd – Published: 2025-01-28 06:38 – Updated: 2026-04-08 17:06
VLAI?
Title
WS Form LITE and PRO <= 1.10.13 - Unauthenticated Stored Cross-Site Scripting
Summary
The WS Form LITE and PRO plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the url parameter in all versions up to, and including, 1.10.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability is partially fixed in 1.10.13 and completely fixed in 1.10.14.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| westguard | WS Form LITE – Drag & Drop Contact Form Builder |
Affected:
0 , ≤ 1.10.13
(semver)
|
|||||||
|
|||||||||
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-28T14:54:11.346546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-28T15:14:40.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder",
"vendor": "westguard",
"versions": [
{
"lessThanOrEqual": "1.10.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThanOrEqual": "1.10.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE and PRO plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the url parameter in all versions up to, and including, 1.10.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability is partially fixed in 1.10.13 and completely fixed in 1.10.14."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:06:53.872Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/910d9b31-b63a-427e-830b-a4c6a7e77ade?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3226595/ws-form"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3225862/ws-form"
},
{
"url": "https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-20T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-27T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WS Form LITE and PRO \u003c= 1.10.13 - Unauthenticated Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13509",
"datePublished": "2025-01-28T06:38:42.309Z",
"dateReserved": "2025-01-17T14:13:37.548Z",
"dateUpdated": "2026-04-08T17:06:53.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-5424 (GCVE-0-2023-5424)
Vulnerability from nvd – Published: 2024-06-07 09:33 – Updated: 2026-04-08 16:46
VLAI?
Title
WS Form LITE <= 1.9.217 - Unauthenticated CSV Injection
Summary
The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
Severity ?
4.7 (Medium)
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| westguard | WS Form LITE – Drag & Drop Contact Form Builder |
Affected:
0 , ≤ 1.9.217
(semver)
|
|||||||
|
|||||||||
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5424",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-07T12:19:36.481560Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T12:19:52.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3098265%40ws-form\u0026new=3098265%40ws-form\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder",
"vendor": "westguard",
"versions": [
{
"lessThanOrEqual": "1.9.217",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThanOrEqual": "1.9.217",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Duc Manh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:46:37.402Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve"
},
{
"url": "https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3098265%40ws-form\u0026new=3098265%40ws-form\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-05T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-06-06T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WS Form LITE \u003c= 1.9.217 - Unauthenticated CSV Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-5424",
"datePublished": "2024-06-07T09:33:35.882Z",
"dateReserved": "2023-10-05T12:15:52.704Z",
"dateUpdated": "2026-04-08T16:46:37.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-23988 (GCVE-0-2022-23988)
Vulnerability from nvd – Published: 2022-02-28 09:07 – Updated: 2024-08-03 03:59
VLAI?
Title
WS Form < 1.8.176 - Unauthenticated Stored Cross-Site Scripting
Summary
The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| WS Form | WS Form LITE – Drag & Drop Contact Form Builder for WordPress |
Affected:
1.8.176 , < 1.8.176
(custom)
|
|||||||
|
|||||||||
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
},
{
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Felipe Restrepo Rodriguez"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-28T09:07:03.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WS Form \u003c 1.8.176 - Unauthenticated Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-23988",
"STATE": "PUBLIC",
"TITLE": "WS Form \u003c 1.8.176 - Unauthenticated Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
},
{
"product_name": "WS Form Pro",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
}
]
},
"vendor_name": "WS Form"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Felipe Restrepo Rodriguez"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-23988",
"datePublished": "2022-02-28T09:07:03.000Z",
"dateReserved": "2022-01-26T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:59:23.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23987 (GCVE-0-2022-23987)
Vulnerability from nvd – Published: 2022-02-28 09:07 – Updated: 2024-08-03 03:59
VLAI?
Title
WS Form < 1.8.176 - Admin+ Stored Cross-Site Scripting
Summary
The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| WS Form | WS Form LITE – Drag & Drop Contact Form Builder for WordPress |
Affected:
1.8.176 , < 1.8.176
(custom)
|
|||||||
|
|||||||||
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.262Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
},
{
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Felipe Restrepo Rodriguez"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-28T09:07:01.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WS Form \u003c 1.8.176 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-23987",
"STATE": "PUBLIC",
"TITLE": "WS Form \u003c 1.8.176 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
},
{
"product_name": "WS Form Pro",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
}
]
},
"vendor_name": "WS Form"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Felipe Restrepo Rodriguez"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-23987",
"datePublished": "2022-02-28T09:07:01.000Z",
"dateReserved": "2022-01-26T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:59:23.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13509 (GCVE-0-2024-13509)
Vulnerability from cvelistv5 – Published: 2025-01-28 06:38 – Updated: 2026-04-08 17:06
VLAI?
Title
WS Form LITE and PRO <= 1.10.13 - Unauthenticated Stored Cross-Site Scripting
Summary
The WS Form LITE and PRO plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the url parameter in all versions up to, and including, 1.10.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability is partially fixed in 1.10.13 and completely fixed in 1.10.14.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| westguard | WS Form LITE – Drag & Drop Contact Form Builder |
Affected:
0 , ≤ 1.10.13
(semver)
|
|||||||
|
|||||||||
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-28T14:54:11.346546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-28T15:14:40.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder",
"vendor": "westguard",
"versions": [
{
"lessThanOrEqual": "1.10.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThanOrEqual": "1.10.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE and PRO plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the url parameter in all versions up to, and including, 1.10.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability is partially fixed in 1.10.13 and completely fixed in 1.10.14."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:06:53.872Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/910d9b31-b63a-427e-830b-a4c6a7e77ade?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3226595/ws-form"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3225862/ws-form"
},
{
"url": "https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-20T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-27T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WS Form LITE and PRO \u003c= 1.10.13 - Unauthenticated Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13509",
"datePublished": "2025-01-28T06:38:42.309Z",
"dateReserved": "2025-01-17T14:13:37.548Z",
"dateUpdated": "2026-04-08T17:06:53.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-5424 (GCVE-0-2023-5424)
Vulnerability from cvelistv5 – Published: 2024-06-07 09:33 – Updated: 2026-04-08 16:46
VLAI?
Title
WS Form LITE <= 1.9.217 - Unauthenticated CSV Injection
Summary
The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
Severity ?
4.7 (Medium)
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| westguard | WS Form LITE – Drag & Drop Contact Form Builder |
Affected:
0 , ≤ 1.9.217
(semver)
|
|||||||
|
|||||||||
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5424",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-07T12:19:36.481560Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T12:19:52.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3098265%40ws-form\u0026new=3098265%40ws-form\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder",
"vendor": "westguard",
"versions": [
{
"lessThanOrEqual": "1.9.217",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThanOrEqual": "1.9.217",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Duc Manh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:46:37.402Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve"
},
{
"url": "https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3098265%40ws-form\u0026new=3098265%40ws-form\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-05T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-06-06T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WS Form LITE \u003c= 1.9.217 - Unauthenticated CSV Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-5424",
"datePublished": "2024-06-07T09:33:35.882Z",
"dateReserved": "2023-10-05T12:15:52.704Z",
"dateUpdated": "2026-04-08T16:46:37.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-23988 (GCVE-0-2022-23988)
Vulnerability from cvelistv5 – Published: 2022-02-28 09:07 – Updated: 2024-08-03 03:59
VLAI?
Title
WS Form < 1.8.176 - Unauthenticated Stored Cross-Site Scripting
Summary
The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| WS Form | WS Form LITE – Drag & Drop Contact Form Builder for WordPress |
Affected:
1.8.176 , < 1.8.176
(custom)
|
|||||||
|
|||||||||
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
},
{
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Felipe Restrepo Rodriguez"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-28T09:07:03.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WS Form \u003c 1.8.176 - Unauthenticated Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-23988",
"STATE": "PUBLIC",
"TITLE": "WS Form \u003c 1.8.176 - Unauthenticated Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
},
{
"product_name": "WS Form Pro",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
}
]
},
"vendor_name": "WS Form"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Felipe Restrepo Rodriguez"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-23988",
"datePublished": "2022-02-28T09:07:03.000Z",
"dateReserved": "2022-01-26T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:59:23.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23987 (GCVE-0-2022-23987)
Vulnerability from cvelistv5 – Published: 2022-02-28 09:07 – Updated: 2024-08-03 03:59
VLAI?
Title
WS Form < 1.8.176 - Admin+ Stored Cross-Site Scripting
Summary
The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| WS Form | WS Form LITE – Drag & Drop Contact Form Builder for WordPress |
Affected:
1.8.176 , < 1.8.176
(custom)
|
|||||||
|
|||||||||
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.262Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
},
{
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Felipe Restrepo Rodriguez"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-28T09:07:01.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WS Form \u003c 1.8.176 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-23987",
"STATE": "PUBLIC",
"TITLE": "WS Form \u003c 1.8.176 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
},
{
"product_name": "WS Form Pro",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
}
]
},
"vendor_name": "WS Form"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Felipe Restrepo Rodriguez"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-23987",
"datePublished": "2022-02-28T09:07:01.000Z",
"dateReserved": "2022-01-26T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:59:23.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}