CVE-2023-0169

MEDIUM

Zoho Forms < 3.0.1 - Stored Cross-Site Scripting via Shortcode Attributes

Title source: llm

Description

The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

References (1)

Core 1

Core References

Exploit, Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/178d71f2-4666-4f7e-ada5-cb72a50fd663

Scores

CVSS v3 5.4

EPSS 0.0128

EPSS Percentile 79.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

Status published

Products (1)

zohocorp/zoho_forms < 3.0.1

Published Feb 13, 2023

Tracked Since Feb 18, 2026