All the vulnerabilites related to WPMU DEV - Forminator
cve-2024-45625
Vulnerability from cvelistv5
Published
2024-09-09 04:44
Modified
2024-09-12 17:33
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability exists in Forminator versions prior to 1.34.1. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who follows a crafted URL and accesses the webpage with the web form created by Forminator.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | WPMU DEV | Forminator |
Version: prior to 1.34.1 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-45625", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-09T13:19:29.143880Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-12T17:33:11.500Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "Forminator", "vendor": "WPMU DEV", "versions": [ { "status": "affected", "version": "prior to 1.34.1" } ] } ], "descriptions": [ { "lang": "en", "value": "Cross-site scripting vulnerability exists in Forminator versions prior to 1.34.1. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who follows a crafted URL and accesses the webpage with the web form created by Forminator." } ], "problemTypes": [ { "descriptions": [ { "description": "Cross-site scripting (XSS)", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2024-09-09T04:44:54.663Z", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert" }, "references": [ { "url": "https://wordpress.org/plugins/forminator/" }, { "url": "https://plugins.trac.wordpress.org/changeset?new=3135507%40forminator%2Ftrunk%2Fassets%2Fjs%2Ffront%2Ffront.mergetags.js\u0026old=3111152%40forminator%2Ftrunk%2Fassets%2Fjs%2Ffront%2Ffront.mergetags.js" }, { "url": "https://wpmudev.com/" }, { "url": "https://jvn.jp/en/jp/JVN65724976/" } ] } }, "cveMetadata": { "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2024-45625", "datePublished": "2024-09-09T04:44:54.663Z", "dateReserved": "2024-09-03T01:43:24.807Z", "dateUpdated": "2024-09-12T17:33:11.500Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-31077
Vulnerability from cvelistv5
Published
2024-04-23 04:47
Modified
2024-08-02 01:46
Severity ?
EPSS score ?
Summary
Forminator prior to 1.29.3 contains a SQL injection vulnerability. If this vulnerability is exploited, a remote authenticated attacker with an administrative privilege may obtain and alter any information in the database and cause a denial-of-service (DoS) condition.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | WPMU DEV | Forminator |
Version: prior to 1.29.3 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:incsub:forminator:*:*:*:*:*:wordpress:*:*" ], "defaultStatus": "unknown", "product": "forminator", "vendor": "incsub", "versions": [ { "lessThan": "1.29.3", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-31077", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-23T15:38:19.348505Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-07-24T15:06:48.660Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T01:46:04.186Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://wordpress.org/plugins/forminator/" }, { "tags": [ "x_transferred" ], "url": "https://wpmudev.com/" }, { "tags": [ "x_transferred" ], "url": "https://jvn.jp/en/jp/JVN50132400/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Forminator", "vendor": "WPMU DEV", "versions": [ { "status": "affected", "version": "prior to 1.29.3" } ] } ], "descriptions": [ { "lang": "en", "value": "Forminator prior to 1.29.3 contains a SQL injection vulnerability. If this vulnerability is exploited, a remote authenticated attacker with an administrative privilege may obtain and alter any information in the database and cause a denial-of-service (DoS) condition." } ], "problemTypes": [ { "descriptions": [ { "description": "SQL Injection", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2024-04-23T04:47:03.136Z", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert" }, "references": [ { "url": "https://wordpress.org/plugins/forminator/" }, { "url": "https://wpmudev.com/" }, { "url": "https://jvn.jp/en/jp/JVN50132400/" } ] } }, "cveMetadata": { "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2024-31077", "datePublished": "2024-04-23T04:47:03.136Z", "dateReserved": "2024-04-12T01:58:20.365Z", "dateUpdated": "2024-08-02T01:46:04.186Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-29777
Vulnerability from cvelistv5
Published
2024-03-27 13:00
Modified
2024-08-02 01:17
Severity ?
EPSS score ?
Summary
WordPress Forminator plugin <= 1.29.0 - Reflected Cross Site Scripting (XSS) vulnerability
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | WPMU DEV | Forminator |
Version: n/a < |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-29777", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-27T19:34:36.045283Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:57:35.696Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T01:17:56.849Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vdb-entry", "x_transferred" ], "url": "https://patchstack.com/database/vulnerability/forminator/wordpress-forminator-plugin-1-29-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "forminator", "product": "Forminator", "vendor": "WPMU DEV", "versions": [ { "changes": [ { "at": "1.29.1", "status": "unaffected" } ], "lessThanOrEqual": "1.29.0", "status": "affected", "version": "n/a", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Rafie Muhammad (Patchstack)" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WPMU DEV Forminator allows Reflected XSS.\u003cp\u003eThis issue affects Forminator: from n/a through 1.29.0.\u003c/p\u003e" } ], "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WPMU DEV Forminator allows Reflected XSS.This issue affects Forminator: from n/a through 1.29.0.\n\n" } ], "impacts": [ { "capecId": "CAPEC-591", "descriptions": [ { "lang": "en", "value": "CAPEC-591 Reflected XSS" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-03-27T13:00:52.321Z", "orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack" }, "references": [ { "tags": [ "vdb-entry" ], "url": "https://patchstack.com/database/vulnerability/forminator/wordpress-forminator-plugin-1-29-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Update to 1.29.1 or a higher version." } ], "value": "Update to 1.29.1 or a higher version." } ], "source": { "discovery": "EXTERNAL" }, "title": "WordPress Forminator plugin \u003c= 1.29.0 - Reflected Cross Site Scripting (XSS) vulnerability", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "assignerShortName": "Patchstack", "cveId": "CVE-2024-29777", "datePublished": "2024-03-27T13:00:52.321Z", "dateReserved": "2024-03-19T15:10:59.183Z", "dateUpdated": "2024-08-02T01:17:56.849Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-28890
Vulnerability from cvelistv5
Published
2024-04-23 04:56
Modified
2024-11-18 21:11
Severity ?
EPSS score ?
Summary
Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | WPMU DEV | Forminator |
Version: prior to 1.29.0 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:wpmudev:broken_link_checker:*:*:*:*:*:wordpress:*:*" ], "defaultStatus": "unknown", "product": "broken_link_checker", "vendor": "wpmudev", "versions": [ { "status": "affected", "version": "*" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-28890", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-23T13:53:38.620937Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-18T21:11:06.673Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T01:03:50.244Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://wordpress.org/plugins/forminator/" }, { "tags": [ "x_transferred" ], "url": "https://wpmudev.com/" }, { "tags": [ "x_transferred" ], "url": "https://jvn.jp/en/jp/JVN50132400/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Forminator", "vendor": "WPMU DEV", "versions": [ { "status": "affected", "version": "prior to 1.29.0" } ] } ], "descriptions": [ { "lang": "en", "value": "Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition. " } ], "problemTypes": [ { "descriptions": [ { "description": "Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2024-04-23T04:56:24.799Z", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert" }, "references": [ { "url": "https://wordpress.org/plugins/forminator/" }, { "url": "https://wpmudev.com/" }, { "url": "https://jvn.jp/en/jp/JVN50132400/" } ] } }, "cveMetadata": { "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2024-28890", "datePublished": "2024-04-23T04:56:24.799Z", "dateReserved": "2024-04-12T01:58:21.194Z", "dateUpdated": "2024-11-18T21:11:06.673Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-36821
Vulnerability from cvelistv5
Published
2023-03-16 14:45
Modified
2024-08-18 21:46
Severity ?
EPSS score ?
Summary
WordPress Forminator plugin <= 1.14.11 - Stored Cross-Site Scripting (XSS) vulnerability
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | WPMU DEV | Forminator |
Version: n/a < |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:incsub:forminator:*:*:*:*:*:wordpress:*:*" ], "defaultStatus": "unaffected", "product": "forminator", "vendor": "incsub", "versions": [ { "lessThanOrEqual": "1.14.11", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2021-36821", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-29T17:00:46.788565Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-02T14:03:49.611Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T01:01:59.790Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vdb-entry", "x_transferred" ], "url": "https://patchstack.com/database/vulnerability/forminator/wordpress-forminator-plugin-1-14-11-stored-cross-site-scripting-xss-vulnerability?_s_id=cve" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "forminator", "product": "Forminator", "vendor": "WPMU DEV", "versions": [ { "changes": [ { "at": "1.14.12", "status": "unaffected" } ], "lessThanOrEqual": "1.14.11", "status": "affected", "version": "n/a", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "J\u00f6rgson (Patchstack Alliance)" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in WPMU DEV Forminator allows Stored XSS.\u003cp\u003eThis issue affects Forminator: from n/a through 1.14.11.\u003c/p\u003e" } ], "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in WPMU DEV Forminator allows Stored XSS.This issue affects Forminator: from n/a through 1.14.11." } ], "impacts": [ { "capecId": "CAPEC-592", "descriptions": [ { "lang": "en", "value": "CAPEC-592 Stored XSS" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-08-18T21:46:15.781Z", "orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack" }, "references": [ { "tags": [ "vdb-entry" ], "url": "https://patchstack.com/database/vulnerability/forminator/wordpress-forminator-plugin-1-14-11-stored-cross-site-scripting-xss-vulnerability?_s_id=cve" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Update to 1.14.12 or a higher version." } ], "value": "Update to 1.14.12 or a higher version." } ], "source": { "discovery": "EXTERNAL" }, "title": "WordPress Forminator plugin \u003c= 1.14.11 - Stored Cross-Site Scripting (XSS) vulnerability", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "assignerShortName": "Patchstack", "cveId": "CVE-2021-36821", "datePublished": "2023-03-16T14:45:38.066Z", "dateReserved": "2021-07-19T21:03:50.384Z", "dateUpdated": "2024-08-18T21:46:15.781Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-31857
Vulnerability from cvelistv5
Published
2024-04-23 04:46
Modified
2024-08-02 01:59
Severity ?
EPSS score ?
Summary
Forminator prior to 1.15.4 contains a cross-site scripting vulnerability. If this vulnerability is exploited, a remote attacker may obtain user information etc. and alter the page contents on the user's web browser.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | WPMU DEV | Forminator |
Version: prior to 1.15.4 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:incsub:forminator:*:*:*:*:*:wordpress:*:*" ], "defaultStatus": "unknown", "product": "forminator", "vendor": "incsub", "versions": [ { "status": "affected", "version": "*" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-31857", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-23T15:39:01.932480Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:36:03.413Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T01:59:49.388Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://wordpress.org/plugins/forminator/" }, { "tags": [ "x_transferred" ], "url": "https://wpmudev.com/" }, { "tags": [ "x_transferred" ], "url": "https://jvn.jp/en/jp/JVN50132400/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Forminator", "vendor": "WPMU DEV", "versions": [ { "status": "affected", "version": "prior to 1.15.4" } ] } ], "descriptions": [ { "lang": "en", "value": "Forminator prior to 1.15.4 contains a cross-site scripting vulnerability. If this vulnerability is exploited, a remote attacker may obtain user information etc. and alter the page contents on the user\u0027s web browser." } ], "problemTypes": [ { "descriptions": [ { "description": "Cross-site scripting (XSS)", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2024-04-23T04:46:50.478Z", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert" }, "references": [ { "url": "https://wordpress.org/plugins/forminator/" }, { "url": "https://wpmudev.com/" }, { "url": "https://jvn.jp/en/jp/JVN50132400/" } ] } }, "cveMetadata": { "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2024-31857", "datePublished": "2024-04-23T04:46:50.478Z", "dateReserved": "2024-04-12T01:58:19.390Z", "dateUpdated": "2024-08-02T01:59:49.388Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
jvndb-2024-000041
Vulnerability from jvndb
Published
2024-04-18 13:53
Modified
2024-04-18 13:53
Severity ?
Summary
Multiple vulnerabilities in WordPress Plugin "Forminator"
Details
WordPress Plugin "Forminator" provided by WPMU DEV contains multiple vulnerabilities listed below.
* Unrestricted upload of file with dangerous type (CWE-434)
* SQL injection (CWE-89)
* Cross-site scripting (CWE-79)
hibiki moriyama of STNet, Incorporated reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
▼ | Type | URL |
---|---|---|
JVN | https://jvn.jp/en/jp/JVN50132400/index.html | |
CVE | https://www.cve.org/CVERecord?id=CVE-2024-28890 | |
CVE | https://www.cve.org/CVERecord?id=CVE-2024-31077 | |
CVE | https://www.cve.org/CVERecord?id=CVE-2024-31857 | |
Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html | |
SQL Injection(CWE-89) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html | |
No Mapping(CWE-Other) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
▼ | Vendor | Product |
---|---|---|
WPMU DEV | Forminator |
{ "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000041.html", "dc:date": "2024-04-18T13:53+09:00", "dcterms:issued": "2024-04-18T13:53+09:00", "dcterms:modified": "2024-04-18T13:53+09:00", "description": "WordPress Plugin \"Forminator\" provided by WPMU DEV contains multiple vulnerabilities listed below.\r\n * Unrestricted upload of file with dangerous type (CWE-434)\r\n * SQL injection (CWE-89)\r\n * Cross-site scripting (CWE-79)\r\n\r\nhibiki moriyama of STNet, Incorporated reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.", "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000041.html", "sec:cpe": { "#text": "cpe:/a:wpmudev:forminator", "@product": "Forminator", "@vendor": "WPMU DEV", "@version": "2.2" }, "sec:cvss": { "@score": "9.8", "@severity": "Critical", "@type": "Base", "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "@version": "3.0" }, "sec:identifier": "JVNDB-2024-000041", "sec:references": [ { "#text": "https://jvn.jp/en/jp/JVN50132400/index.html", "@id": "JVN#50132400", "@source": "JVN" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2024-28890", "@id": "CVE-2024-28890", "@source": "CVE" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2024-31077", "@id": "CVE-2024-31077", "@source": "CVE" }, { "#text": "https://www.cve.org/CVERecord?id=CVE-2024-31857", "@id": "CVE-2024-31857", "@source": "CVE" }, { "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html", "@id": "CWE-79", "@title": "Cross-site Scripting(CWE-79)" }, { "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html", "@id": "CWE-89", "@title": "SQL Injection(CWE-89)" }, { "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html", "@id": "CWE-Other", "@title": "No Mapping(CWE-Other)" } ], "title": "Multiple vulnerabilities in WordPress Plugin \"Forminator\"" }