Skip to main content

CVE-2021-24705

Severity Medium
Score 4.8/10

Summary

The NEX-Forms WordPress plugin before 8.4.3 does not have CSRF checks in place when editing a form, and does not escape some of its settings as well as form fields before outputting them in attributes. This could allow attackers to make a logged in admin edit arbitrary forms with Cross-Site Scripting payloads in them

  • LOW
  • NETWORK
  • LOW
  • CHANGED
  • REQUIRED
  • HIGH
  • LOW
  • NONE

References

Advisory Timeline

  • Published