CVE-2024-13403
WPForms Lite <= 1.9.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via fieldHTML ParameterThe WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fieldHTML’ parameter in all versions up to, and including, 1.9.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 461,908 live websites that are affected by CVE-2024-13403.
Affected Software
| Product |  WPForms |
| Category | Form Builders |
| Vulnerable Domains | 461,908 live websites (82.56% of WPForms install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 214 versions ( 96.40% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Feb 4, 2025
- Updated - Feb 4, 2025
Credits
- Asaf Mozes (finder)
CWE
CVE References
CWE References
CVE-2024-13403 usage by Country
 United States | 180,769 websites |
 Germany | 57,847 websites |
 France | 29,370 websites |
 GB | 19,553 websites |
 Cyprus | 18,241 websites |
 Netherlands | 12,984 websites |
 Spain | 8,939 websites |
 Poland | 8,929 websites |
 Italy | 7,792 websites |
 Denmark | 6,586 websites |
CVE-2024-13403 usage by TLD
| .com | 212,227 websites |
| .de | 24,711 websites |
| .org | 22,730 websites |
| .co.uk | 15,342 websites |
| .nl | 13,540 websites |
| .fr | 11,611 websites |
| .net | 10,133 websites |
| .com.au | 9,025 websites |
| .com.br | 8,704 websites |
| .pl | 7,207 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-13403
Top websites that are affected by CVE-2024-13403. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **.*******.io | Germany | *,*** | |
| ***.domains | United States | *,*** | |
| ************.com | United States | *,*** | |
| **********.com | United States | *,*** | |
| ********.com | Germany | *,*** | |
| ****************.com | United States | *,*** | |
| *******.com | Netherlands | *,*** | |
| ************.com | United States | *,*** | |
| ************.net | United States | *,*** | |
| ******.com | United States | *,*** |
FAQ
CVE-2024-13403 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WPForms
A total of 461,908 websites have been identified as vulnerable to CVE-2024-13403, discovered through global website indexing conducted by WebTechSurvey.
WPForms is susceptible to CVE-2024-13403 vulnerability.
WPForms versions before, and including, 1.9.3.1 are vulnerable to CVE-2024-13403.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/92ea6a89-b14f-4252-b886-e219c1bb658d?source=cve
- https://plugins.trac.wordpress.org/browser/wpforms-lite/trunk/assets/js/frontend/wpforms.js#L172
- https://wordpress.org/plugins/wpforms-lite/#developers
- https://plugins.trac.wordpress.org/changeset/3230497/wpforms-lite/trunk/assets/js/frontend/wpforms.js?old=3223577&old_path=wpforms-lite%2Ftrunk%2Fassets%2Fjs%2Ffrontend%2Fwpforms.js