CVE-2024-7056
WPForms < 1.9.1.6 - Admin+ Stored XSSThe WPForms WordPress plugin before 1.9.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
We have discovered 322,428 live websites that are affected by CVE-2024-7056.
Affected Software
| Product |  WPForms |
| Category | Form Builders |
| Vulnerable Domains | 322,428 live websites (57.63% of WPForms install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 207 versions ( 93.24% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Nov 25, 2024
- Updated - Nov 25, 2024
Credits
- Dmitrii Ignatyev (finder)
- WPScan (coordinator)
CWE
CVE References
CWE References
CVE-2024-7056 usage by Country
 United States | 115,792 websites |
 Germany | 40,374 websites |
 France | 21,151 websites |
 GB | 13,514 websites |
 Cyprus | 13,316 websites |
 Netherlands | 8,444 websites |
 Poland | 7,087 websites |
 Spain | 6,853 websites |
 Italy | 5,907 websites |
 Russia | 5,327 websites |
CVE-2024-7056 usage by TLD
| .com | 144,138 websites |
| .de | 15,513 websites |
| .org | 15,173 websites |
| .co.uk | 10,091 websites |
| .nl | 8,654 websites |
| .fr | 8,089 websites |
| .com.br | 7,315 websites |
| .net | 7,120 websites |
| .com.au | 6,156 websites |
| .pl | 5,755 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-7056
Top websites that are affected by CVE-2024-7056. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.domains | United States | *,*** | |
| ************.com | United States | *,*** | |
| ********.com | Germany | *,*** | |
| ****************.com | United States | *,*** | |
| *******.com | Netherlands | *,*** | |
| ************.com | United States | *,*** | |
| ******.com | United States | *,*** | |
| ******.com | United States | *,*** | |
| ***********************.com | United States | *,*** | |
| *************.com | Cyprus | *,*** |
FAQ
CVE-2024-7056 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WPForms
A total of 322,428 websites have been identified as vulnerable to CVE-2024-7056, discovered through global website indexing conducted by WebTechSurvey.
WPForms is susceptible to CVE-2024-7056 vulnerability.
WPForms versions before 1.9.1.6 are vulnerable to CVE-2024-7056.
Version 1.9.1.6 of WPForms addresses the CVE-2024-7056 security vulnerability.