What is CVE-2023-0546?

CVE-2023-0546 is a vulnerability in the Contact Form Plugin WordPress plugin before version 4.3.25 that allows a logged-in user with roles as low as contributor to inject arbitrary JavaScript into a form.

What is the severity of CVE-2023-0546?

The severity of CVE-2023-0546 is medium with a CVSS score of 5.4.

How does CVE-2023-0546 occur?

CVE-2023-0546 occurs due to improper sanitization and escaping of the srcdoc attribute in iframes in the custom HTML field type of the Contact Form Plugin, which allows the injection of arbitrary JavaScript.

Which software is affected by CVE-2023-0546?

The Contact Form Plugin WordPress plugin before version 4.3.25 is affected by CVE-2023-0546.

How can CVE-2023-0546 be fixed?

To fix CVE-2023-0546, it is recommended to update the Contact Form Plugin to version 4.3.25 or later.

Vulnerability/
CVE-2023-0546

medium

5.4

CWE

10/4/2023

11/2/2025

CVE-2023-0546: FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field

First published: Mon Apr 10 2023(Updated: )

The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form.

Credit: contact@wpscan.com

Affected Software	Affected Version	How to fix
Fluent Forms	<4.3.25
	<4.3.25

Never miss a vulnerability like this again

Reference Links

https://wpscan.com/vulnerability/078f33cd-0f5c-46fe-b858-2107a09c6b69

Frequently Asked Questions

What is CVE-2023-0546?
CVE-2023-0546 is a vulnerability in the Contact Form Plugin WordPress plugin before version 4.3.25 that allows a logged-in user with roles as low as contributor to inject arbitrary JavaScript into a form.
What is the severity of CVE-2023-0546?
The severity of CVE-2023-0546 is medium with a CVSS score of 5.4.
How does CVE-2023-0546 occur?
CVE-2023-0546 occurs due to improper sanitization and escaping of the srcdoc attribute in iframes in the custom HTML field type of the Contact Form Plugin, which allows the injection of arbitrary JavaScript.
Which software is affected by CVE-2023-0546?
The Contact Form Plugin WordPress plugin before version 4.3.25 is affected by CVE-2023-0546.
How can CVE-2023-0546 be fixed?
To fix CVE-2023-0546, it is recommended to update the Contact Form Plugin to version 4.3.25 or later.

agent/type
agent/author
agent/severity
agent/title
agent/references
agent/weakness
agent/description
agent/first-publish-date
collector/nvd-index
agent/software-canonical-lookup-request
collector/mitre-cve
source/MITRE
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/last-modified-date
agent/source
agent/softwarecombine
agent/tags
agent/event
vendor/fluentforms
canonical/fluent forms

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.