WS Form LITE and Pro < 1.8.176 - Unauthenticated Stored Cross-Site Scripting via Form Submission
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2022-23988. PoCs published by simonepetruzzi.
AI-analyzed exploit summary This repository contains a proof-of-concept for CVE-2022-23988, an XSS vulnerability in WS Form plugin versions prior to 1.8.176. The PoC demonstrates how an unauthenticated user can inject malicious JavaScript via a form field, which executes when viewed in the admin panel.
Description
The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission
Exploits (1)
This repository contains a proof-of-concept for CVE-2022-23988, an XSS vulnerability in WS Form plugin versions prior to 1.8.176. The PoC demonstrates how an unauthenticated user can inject malicious JavaScript via a form field, which executes when viewed in the admin panel.
References (1)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N