Search criteria
8 vulnerabilities found for tripetto by tripetto
CVE-2025-1530 (GCVE-0-2025-1530)
Vulnerability from nvd – Published: 2025-03-15 11:13 – Updated: 2025-03-17 21:27
VLAI?
Title
Tripetto <= 8.0.9 - Cross-Site Request Forgery to Arbitrary Results Deletion
Summary
The Tripetto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.0.9. This is due to missing nonce validation. This makes it possible for unauthenticated attackers to delete arbitrary results via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tripetto | WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto |
Affected:
* , ≤ 8.0.9
(semver)
|
Credits
Duc Manh
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1530",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T21:25:11.292083Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T21:27:38.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress form builder plugin for contact forms, surveys and quizzes \u2013 Tripetto",
"vendor": "tripetto",
"versions": [
{
"lessThanOrEqual": "8.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Duc Manh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tripetto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.0.9. This is due to missing nonce validation. This makes it possible for unauthenticated attackers to delete arbitrary results via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-15T11:13:28.584Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd80abd9-3f41-414a-a781-9bff7d85ec4b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tripetto/trunk/lib/capabilities.php"
},
{
"url": "https://wordpress.org/plugins/tripetto/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3251202/tripetto/trunk/admin/results/list.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3251202/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3251202/tripetto/trunk/admin/results/results.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-14T22:58:21.000+00:00",
"value": "Disclosed"
}
],
"title": "Tripetto \u003c= 8.0.9 - Cross-Site Request Forgery to Arbitrary Results Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-1530",
"datePublished": "2025-03-15T11:13:28.584Z",
"dateReserved": "2025-02-21T00:47:08.805Z",
"dateUpdated": "2025-03-17T21:27:38.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13497 (GCVE-0-2024-13497)
Vulnerability from nvd – Published: 2025-03-15 04:22 – Updated: 2025-03-17 16:53
VLAI?
Title
WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto <= 8.0.9 - Unauthenticated Stored Cross-Site Scripting
Summary
The WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via attachment uploads in all versions up to, and including, 8.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the uploaded file.
Severity ?
7.2 (High)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tripetto | WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto |
Affected:
* , ≤ 8.0.9
(semver)
|
Credits
Tim Coen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13497",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T16:53:43.548470Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T16:53:51.856Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress form builder plugin for contact forms, surveys and quizzes \u2013 Tripetto",
"vendor": "tripetto",
"versions": [
{
"lessThanOrEqual": "8.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WordPress form builder plugin for contact forms, surveys and quizzes \u2013 Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via attachment uploads in all versions up to, and including, 8.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the uploaded file."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-15T04:22:08.315Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fbbe006c-1afc-4c8b-a9f3-ffb21cdabb54?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tripetto/trunk/lib/attachments.php#L46"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3251202%40tripetto%2Ftrunk\u0026old=3231968%40tripetto%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-14T15:25:13.000+00:00",
"value": "Disclosed"
}
],
"title": "WordPress form builder plugin for contact forms, surveys and quizzes \u2013 Tripetto \u003c= 8.0.9 - Unauthenticated Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13497",
"datePublished": "2025-03-15T04:22:08.315Z",
"dateReserved": "2025-01-16T21:09:55.087Z",
"dateUpdated": "2025-03-17T16:53:51.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10260 (GCVE-0-2024-10260)
Vulnerability from nvd – Published: 2024-11-15 05:30 – Updated: 2024-11-15 18:17
VLAI?
Title
Tripetto <= 8.0.3 - Unauthentiated Stored Cross-Site Scripting via Form File Upload
Summary
The Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 8.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the file.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tripetto | WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto |
Affected:
* , ≤ 8.0.3
(semver)
|
Credits
Max Boll
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tripetto:tripetto:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "tripetto",
"vendor": "tripetto",
"versions": [
{
"lessThanOrEqual": "8.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10260",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T18:14:24.492287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T18:17:36.938Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress form builder plugin for contact forms, surveys and quizzes \u2013 Tripetto",
"vendor": "tripetto",
"versions": [
{
"lessThanOrEqual": "8.0.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Max Boll"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 8.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the file."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T05:30:56.350Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3718c252-2ca3-4f7d-b43a-3c1b2e6b34c0?source=cve"
},
{
"url": "https://plugins.svn.wordpress.org/tripetto/trunk/lib/attachments.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-14T16:36:11.000+00:00",
"value": "Disclosed"
}
],
"title": "Tripetto \u003c= 8.0.3 - Unauthentiated Stored Cross-Site Scripting via Form File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10260",
"datePublished": "2024-11-15T05:30:56.350Z",
"dateReserved": "2024-10-22T19:48:26.074Z",
"dateUpdated": "2024-11-15T18:17:36.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36895 (GCVE-0-2021-36895)
Vulnerability from nvd – Published: 2022-04-26 18:13 – Updated: 2025-02-20 20:25
VLAI?
Title
WordPress Tripetto plugin <= 5.1.4 - Unauthenticated Cross-Site Scripting (XSS) vulnerability via SVG image upload
Summary
Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto's Tripetto plugin <= 5.1.4 on WordPress via SVG image upload.
Severity ?
4.7 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tripetto | Tripetto (WordPress plugin) |
Affected:
<= 5.1.4 , ≤ 5.1.4
(custom)
|
Credits
Vulnerability discovered by Ngo Van Thien (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/tripetto/#developers"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/tripetto/wordpress-tripetto-plugin-5-1-4-unauthenticated-cross-site-scripting-xss-vulnerability-via-svg-image-upload"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:31:05.194907Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:25:13.382Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Tripetto (WordPress plugin)",
"vendor": "Tripetto",
"versions": [
{
"lessThanOrEqual": "5.1.4",
"status": "affected",
"version": "\u003c= 5.1.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Ngo Van Thien (Patchstack Alliance)"
}
],
"datePublic": "2022-04-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto\u0027s Tripetto plugin \u003c= 5.1.4 on WordPress via SVG image upload."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-26T18:13:02.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/tripetto/#developers"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/tripetto/wordpress-tripetto-plugin-5-1-4-unauthenticated-cross-site-scripting-xss-vulnerability-via-svg-image-upload"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 5.2.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Tripetto plugin \u003c= 5.1.4 - Unauthenticated Cross-Site Scripting (XSS) vulnerability via SVG image upload",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-04-26T06:54:00.000Z",
"ID": "CVE-2021-36895",
"STATE": "PUBLIC",
"TITLE": "WordPress Tripetto plugin \u003c= 5.1.4 - Unauthenticated Cross-Site Scripting (XSS) vulnerability via SVG image upload"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Tripetto (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 5.1.4",
"version_value": "5.1.4"
}
]
}
}
]
},
"vendor_name": "Tripetto"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Ngo Van Thien (Patchstack Alliance)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto\u0027s Tripetto plugin \u003c= 5.1.4 on WordPress via SVG image upload."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/tripetto/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/tripetto/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/tripetto/wordpress-tripetto-plugin-5-1-4-unauthenticated-cross-site-scripting-xss-vulnerability-via-svg-image-upload",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/tripetto/wordpress-tripetto-plugin-5-1-4-unauthenticated-cross-site-scripting-xss-vulnerability-via-svg-image-upload"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 5.2.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36895",
"datePublished": "2022-04-26T18:13:02.891Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-02-20T20:25:13.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1530 (GCVE-0-2025-1530)
Vulnerability from cvelistv5 – Published: 2025-03-15 11:13 – Updated: 2025-03-17 21:27
VLAI?
Title
Tripetto <= 8.0.9 - Cross-Site Request Forgery to Arbitrary Results Deletion
Summary
The Tripetto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.0.9. This is due to missing nonce validation. This makes it possible for unauthenticated attackers to delete arbitrary results via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tripetto | WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto |
Affected:
* , ≤ 8.0.9
(semver)
|
Credits
Duc Manh
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1530",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T21:25:11.292083Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T21:27:38.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress form builder plugin for contact forms, surveys and quizzes \u2013 Tripetto",
"vendor": "tripetto",
"versions": [
{
"lessThanOrEqual": "8.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Duc Manh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tripetto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.0.9. This is due to missing nonce validation. This makes it possible for unauthenticated attackers to delete arbitrary results via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-15T11:13:28.584Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd80abd9-3f41-414a-a781-9bff7d85ec4b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tripetto/trunk/lib/capabilities.php"
},
{
"url": "https://wordpress.org/plugins/tripetto/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3251202/tripetto/trunk/admin/results/list.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3251202/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3251202/tripetto/trunk/admin/results/results.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-14T22:58:21.000+00:00",
"value": "Disclosed"
}
],
"title": "Tripetto \u003c= 8.0.9 - Cross-Site Request Forgery to Arbitrary Results Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-1530",
"datePublished": "2025-03-15T11:13:28.584Z",
"dateReserved": "2025-02-21T00:47:08.805Z",
"dateUpdated": "2025-03-17T21:27:38.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13497 (GCVE-0-2024-13497)
Vulnerability from cvelistv5 – Published: 2025-03-15 04:22 – Updated: 2025-03-17 16:53
VLAI?
Title
WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto <= 8.0.9 - Unauthenticated Stored Cross-Site Scripting
Summary
The WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via attachment uploads in all versions up to, and including, 8.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the uploaded file.
Severity ?
7.2 (High)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tripetto | WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto |
Affected:
* , ≤ 8.0.9
(semver)
|
Credits
Tim Coen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13497",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T16:53:43.548470Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T16:53:51.856Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress form builder plugin for contact forms, surveys and quizzes \u2013 Tripetto",
"vendor": "tripetto",
"versions": [
{
"lessThanOrEqual": "8.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WordPress form builder plugin for contact forms, surveys and quizzes \u2013 Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via attachment uploads in all versions up to, and including, 8.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the uploaded file."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-15T04:22:08.315Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fbbe006c-1afc-4c8b-a9f3-ffb21cdabb54?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tripetto/trunk/lib/attachments.php#L46"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3251202%40tripetto%2Ftrunk\u0026old=3231968%40tripetto%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-14T15:25:13.000+00:00",
"value": "Disclosed"
}
],
"title": "WordPress form builder plugin for contact forms, surveys and quizzes \u2013 Tripetto \u003c= 8.0.9 - Unauthenticated Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13497",
"datePublished": "2025-03-15T04:22:08.315Z",
"dateReserved": "2025-01-16T21:09:55.087Z",
"dateUpdated": "2025-03-17T16:53:51.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10260 (GCVE-0-2024-10260)
Vulnerability from cvelistv5 – Published: 2024-11-15 05:30 – Updated: 2024-11-15 18:17
VLAI?
Title
Tripetto <= 8.0.3 - Unauthentiated Stored Cross-Site Scripting via Form File Upload
Summary
The Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 8.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the file.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tripetto | WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto |
Affected:
* , ≤ 8.0.3
(semver)
|
Credits
Max Boll
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tripetto:tripetto:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "tripetto",
"vendor": "tripetto",
"versions": [
{
"lessThanOrEqual": "8.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10260",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T18:14:24.492287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T18:17:36.938Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress form builder plugin for contact forms, surveys and quizzes \u2013 Tripetto",
"vendor": "tripetto",
"versions": [
{
"lessThanOrEqual": "8.0.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Max Boll"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 8.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the file."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T05:30:56.350Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3718c252-2ca3-4f7d-b43a-3c1b2e6b34c0?source=cve"
},
{
"url": "https://plugins.svn.wordpress.org/tripetto/trunk/lib/attachments.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-14T16:36:11.000+00:00",
"value": "Disclosed"
}
],
"title": "Tripetto \u003c= 8.0.3 - Unauthentiated Stored Cross-Site Scripting via Form File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10260",
"datePublished": "2024-11-15T05:30:56.350Z",
"dateReserved": "2024-10-22T19:48:26.074Z",
"dateUpdated": "2024-11-15T18:17:36.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36895 (GCVE-0-2021-36895)
Vulnerability from cvelistv5 – Published: 2022-04-26 18:13 – Updated: 2025-02-20 20:25
VLAI?
Title
WordPress Tripetto plugin <= 5.1.4 - Unauthenticated Cross-Site Scripting (XSS) vulnerability via SVG image upload
Summary
Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto's Tripetto plugin <= 5.1.4 on WordPress via SVG image upload.
Severity ?
4.7 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tripetto | Tripetto (WordPress plugin) |
Affected:
<= 5.1.4 , ≤ 5.1.4
(custom)
|
Credits
Vulnerability discovered by Ngo Van Thien (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/tripetto/#developers"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/tripetto/wordpress-tripetto-plugin-5-1-4-unauthenticated-cross-site-scripting-xss-vulnerability-via-svg-image-upload"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:31:05.194907Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:25:13.382Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Tripetto (WordPress plugin)",
"vendor": "Tripetto",
"versions": [
{
"lessThanOrEqual": "5.1.4",
"status": "affected",
"version": "\u003c= 5.1.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Ngo Van Thien (Patchstack Alliance)"
}
],
"datePublic": "2022-04-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto\u0027s Tripetto plugin \u003c= 5.1.4 on WordPress via SVG image upload."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-26T18:13:02.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/tripetto/#developers"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/tripetto/wordpress-tripetto-plugin-5-1-4-unauthenticated-cross-site-scripting-xss-vulnerability-via-svg-image-upload"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 5.2.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Tripetto plugin \u003c= 5.1.4 - Unauthenticated Cross-Site Scripting (XSS) vulnerability via SVG image upload",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-04-26T06:54:00.000Z",
"ID": "CVE-2021-36895",
"STATE": "PUBLIC",
"TITLE": "WordPress Tripetto plugin \u003c= 5.1.4 - Unauthenticated Cross-Site Scripting (XSS) vulnerability via SVG image upload"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Tripetto (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 5.1.4",
"version_value": "5.1.4"
}
]
}
}
]
},
"vendor_name": "Tripetto"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Ngo Van Thien (Patchstack Alliance)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto\u0027s Tripetto plugin \u003c= 5.1.4 on WordPress via SVG image upload."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/tripetto/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/tripetto/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/tripetto/wordpress-tripetto-plugin-5-1-4-unauthenticated-cross-site-scripting-xss-vulnerability-via-svg-image-upload",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/tripetto/wordpress-tripetto-plugin-5-1-4-unauthenticated-cross-site-scripting-xss-vulnerability-via-svg-image-upload"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 5.2.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36895",
"datePublished": "2022-04-26T18:13:02.891Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-02-20T20:25:13.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}