CVE-2023-0546

The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form.

Published: Apr 10, 2023
Updated: Apr 14, 2023
CVE: CVE-2023-0546
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
fluentforms / contact_form	-	4.3.25

https://wpscan.com/vulnerability/078f33cd-0f5c-46fe-b858-2107a09c6b69

Vulnerability Database

289,784

CVE-2023-0546