关键信息 漏洞描述 漏洞名称: Lead Form Builder < 1.9.8 - Admin+ Stored XSS 描述: 插件未对某些设置进行清理和转义,允许高权限用户(如管理员)执行存储型跨站脚本攻击,即使未过滤的HTML功能被禁用。 影响插件 插件名称: lead-form-builder 修复版本: 1.9.8 参考资料 CVE编号: CVE-2024-10475 URL: https://research.cleantalk.org/CVE-2024-10475 分类 类型: XSS OWASP Top 10: A7: Cross-Site Scripting (XSS) CWE编号: CWE-79 CVSS评分: 3.5 (低) 其他信息 原始研究员: Krugov Artyom 提交者: Krugov Artyom 提交者网站: https://research.cleantalk.org 验证状态: Yes WPVDB ID: faca59fb-6b59-45b0-8b97-c4125d9d3cb3 时间线 公开发布日期: 2024-10-23 添加日期: 2025-03-03 最后更新日期: 2025-03-03 其他相关漏洞 Plezzi < 1.0.3 - Unauthenticated Stored XSS Plenigo <= 112.0 - Authenticated (Contributor+) Stored Cross-Site Scripting (XSS) WP Easy Gallery <= 4.1.4 - Reflected Cross-Site Scripting (XSS) PWA — easy way to Progressive Web App < 1.6.4 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload Gallery < 2.2.2 - Authenticated (Author+) Stored Cross-Site Scripting