CVE-2022-0402
MEDIUMSuper Forms - Drag & Drop Form Builder WordPress plugin <6.0.4 - XSS
Title source: llmDescription
The Super Forms - Drag & Drop Form Builder WordPress plugin before 6.0.4 does not escape the bob_czy_panstwa_sprawa_zostala_rozwiazana parameter before outputting it back in an attribute via the super_language_switcher AJAX action, leading to a Reflected Cross-Site Scripting. The action is also lacking CSRF, making the attack easier to perform against any user.
References (2)
Core 2
Core References
Exploit, Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/2e2e2478-2488-4c91-8af8-69b07783854f/
Scores
CVSS v3
6.1
EPSS
0.0031
EPSS Percentile
23.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
super-forms/super_forms
< 6.0.4
Published
Jan 16, 2024
Tracked Since
Feb 18, 2026