The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like <audio>,<video>,<img>,<a> and<button>.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the "data-frmverify" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited.
Published 2021-10-25 14:15:11
Updated 2022-08-30 15:53:32
Source WPScan
View at NVD,
Vulnerability category: Cross site scripting (XSS)Cross-site request forgery (CSRF)Execute code

Exploit prediction scoring system (EPSS) score for CVE-2021-24884

Probability of exploitation activity in the next 30 days EPSS Score History
~ 89 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-24884

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen

CWE ids for CVE-2021-24884

References for CVE-2021-24884

Products affected by CVE-2021-24884

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to terms of use!