CVE-2012-6312

Video Lead Form plugin for WordPress - Cross-Site Scripting via errMsg Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-6312. PoCs published by Aditya Balapure.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in the Video Lead Form WordPress plugin. The PoC URL injects JavaScript via the 'errMsg' parameter, bypassing input sanitization to execute arbitrary script code in the context of the affected site.

Description

Cross-site scripting (XSS) vulnerability in the Video Lead Form plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the errMsg parameter in a video-lead-form action to wp-admin/admin.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Aditya Balapure · textwebappsphp

https://www.exploit-db.com/exploits/38066

View Code ZIP pw:eip

This exploit demonstrates a reflected XSS vulnerability in the Video Lead Form WordPress plugin. The PoC URL injects JavaScript via the 'errMsg' parameter, bypassing input sanitization to execute arbitrary script code in the context of the affected site.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Video Lead Form WordPress plugin 0.5

No auth needed

Prerequisites: Target site with vulnerable plugin installed · User interaction to visit crafted URL

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

http://wordpress.org/extend/plugins/video-lead-form/changelog/

Third Party Advisory mailing-list x_refsource_bugtraq

http://archives.neohapsis.com/archives/bugtraq/2012-12/0060.html

Scores

EPSS 0.0324

EPSS Percentile 86.7%

Details

CWE

CWE-79

Status published

Products (1)

video-lead-form/uk-cookie

Published Dec 11, 2012

Tracked Since Feb 18, 2026