CVE-2024-47300

CubeWP Forms versions 1.1.1 and earlier for WordPress contain a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. The vulnerability exists in the cubewp-forms component, allowing arbitrary HTML and JavaScript to be saved and later executed when an administrator or other user views the affected content.

Exploitation requires an authenticated user with contributor-level privileges or higher to submit a crafted form payload. No additional privileges are needed beyond the ability to submit forms, making it accessible to a wide range of WordPress user roles. The stored payload is triggered when a victim administrator loads the page containing the malicious input, meeting the user interaction component of the CVSS score (7.1, High). Attackers commonly chain this type of vulnerability in automated campaigns targeting thousands of sites simultaneously [1].

Successful exploitation enables an attacker to inject persistent scripts that can perform redirections, display advertisements, steal session cookies, or deface pages. Since the malicious payload is stored in the database, every visitor to the affected page will execute it, amplifying the impact across the site’s user base [1].

The vendor released version 1.1.2, which resolves the vulnerability by properly sanitizing form input. All users are strongly advised to update immediately. If an immediate patch is not possible, a virtual patch or security rule can block exploit attempts until the update is applied [1].