Vulnerability Details CVE-2022-0402
The Super Forms - Drag & Drop Form Builder WordPress plugin before 6.0.4 does not escape the bob_czy_panstwa_sprawa_zostala_rozwiazana parameter before outputting it back in an attribute via the super_language_switcher AJAX action, leading to a Reflected Cross-Site Scripting. The action is also lacking CSRF, making the attack easier to perform against any user.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 59.6%
CVSS Severity
CVSS v3 Score 6.1
References
- https://github.com/RensTillmann/super-forms/commit/c19d65abbe43d9b6359c1bf3498dc697d0c19d02
- https://wpscan.com/vulnerability/2e2e2478-2488-4c91-8af8-69b07783854f/
- https://github.com/RensTillmann/super-forms/commit/c19d65abbe43d9b6359c1bf3498dc697d0c19d02
- https://wpscan.com/vulnerability/2e2e2478-2488-4c91-8af8-69b07783854f/
Products affected by CVE-2022-0402
-
cpe:2.3:a:super-forms:super_forms:3.7.2
-
cpe:2.3:a:super-forms:super_forms:3.7.3
-
cpe:2.3:a:super-forms:super_forms:4.6.1
-
cpe:2.3:a:super-forms:super_forms:4.6.2
-
cpe:2.3:a:super-forms:super_forms:4.6.8
-
cpe:2.3:a:super-forms:super_forms:4.6.88
-
cpe:2.3:a:super-forms:super_forms:4.6.91
-
cpe:2.3:a:super-forms:super_forms:4.6.92
-
cpe:2.3:a:super-forms:super_forms:4.6.98
-
cpe:2.3:a:super-forms:super_forms:4.7.2
-
cpe:2.3:a:super-forms:super_forms:4.7.63
-
cpe:2.3:a:super-forms:super_forms:4.7.66
-
cpe:2.3:a:super-forms:super_forms:4.7.69
-
cpe:2.3:a:super-forms:super_forms:4.7.71
-
cpe:2.3:a:super-forms:super_forms:4.7.72
-
cpe:2.3:a:super-forms:super_forms:4.7.77
-
cpe:2.3:a:super-forms:super_forms:4.7.81
-
cpe:2.3:a:super-forms:super_forms:4.8.0
-
cpe:2.3:a:super-forms:super_forms:4.8.10
-
cpe:2.3:a:super-forms:super_forms:4.8.12
-
cpe:2.3:a:super-forms:super_forms:4.8.16
-
cpe:2.3:a:super-forms:super_forms:4.8.36
-
cpe:2.3:a:super-forms:super_forms:4.8.50
-
cpe:2.3:a:super-forms:super_forms:4.9
-
cpe:2.3:a:super-forms:super_forms:4.9.0
-
cpe:2.3:a:super-forms:super_forms:4.9.1
-
cpe:2.3:a:super-forms:super_forms:4.9.222
-
cpe:2.3:a:super-forms:super_forms:4.9.245
-
cpe:2.3:a:super-forms:super_forms:4.9.400
-
cpe:2.3:a:super-forms:super_forms:4.9.401
-
cpe:2.3:a:super-forms:super_forms:4.9.406
-
cpe:2.3:a:super-forms:super_forms:4.9.450
-
cpe:2.3:a:super-forms:super_forms:4.9.460
-
cpe:2.3:a:super-forms:super_forms:4.9.466
-
cpe:2.3:a:super-forms:super_forms:4.9.471
-
cpe:2.3:a:super-forms:super_forms:4.9.5
-
cpe:2.3:a:super-forms:super_forms:4.9.504
-
cpe:2.3:a:super-forms:super_forms:4.9.505
-
cpe:2.3:a:super-forms:super_forms:4.9.506
-
cpe:2.3:a:super-forms:super_forms:4.9.507
-
cpe:2.3:a:super-forms:super_forms:4.9.508
-
cpe:2.3:a:super-forms:super_forms:4.9.513
-
cpe:2.3:a:super-forms:super_forms:4.9.514
-
cpe:2.3:a:super-forms:super_forms:4.9.530
-
cpe:2.3:a:super-forms:super_forms:4.9.531
-
cpe:2.3:a:super-forms:super_forms:4.9.532
-
cpe:2.3:a:super-forms:super_forms:4.9.550
-
cpe:2.3:a:super-forms:super_forms:4.9.551
-
cpe:2.3:a:super-forms:super_forms:4.9.552
-
cpe:2.3:a:super-forms:super_forms:4.9.555
-
cpe:2.3:a:super-forms:super_forms:4.9.556
-
cpe:2.3:a:super-forms:super_forms:4.9.570
-
cpe:2.3:a:super-forms:super_forms:4.9.572
-
cpe:2.3:a:super-forms:super_forms:4.9.573
-
cpe:2.3:a:super-forms:super_forms:4.9.580
-
cpe:2.3:a:super-forms:super_forms:4.9.584
-
cpe:2.3:a:super-forms:super_forms:4.9.600
-
cpe:2.3:a:super-forms:super_forms:4.9.700
-
cpe:2.3:a:super-forms:super_forms:4.9.701
-
cpe:2.3:a:super-forms:super_forms:4.9.800
-
cpe:2.3:a:super-forms:super_forms:5.0.020
-
cpe:2.3:a:super-forms:super_forms:5.0.025
-
cpe:2.3:a:super-forms:super_forms:5.0.110
-
cpe:2.3:a:super-forms:super_forms:5.0.111
-
cpe:2.3:a:super-forms:super_forms:5.0.200
-
cpe:2.3:a:super-forms:super_forms:6.0.0
-
cpe:2.3:a:super-forms:super_forms:6.0.1