.. / CVE-2014-4536

Exploit for Infusionsoft Gravity Forms Add-on < 1.5.7 - Cross-Site Scripting (CVE-2014-4536)

Description:

Multiple cross-site scripting vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) go, (2) contactId, or (3) campaignId parameter.

Nuclei Template

View the template here CVE-2014-4536.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2014/CVE-2014-4536.yaml

References:

http://codevigilant.com/disclosure/wp-plugin-infusionsoft-a3-cross-site-scripting-xss
https://nvd.nist.gov/vuln/detail/CVE-2014-4536
https://github.com/ARPSyndicate/kenzer-templates
https://wpscan.com/vulnerability/f048b5cc-5379-4c19-9a43-cd8c49c8129f
http://wordpress.org/plugins/infusionsoft/changelog

.. / CVE-2014-4536 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for Infusionsoft Gravity Forms Add-on < 1.5.7 - Cross-Site Scripting (CVE-2014-4536)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2014-4536