WordPress Plugin Vulnerabilities

Contact Form and Calls To Action by vcita < 2.7.1 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not sanitize and escape the email and uid parameters in the plugin settings, which could allow users with roles as low as contributor to inject arbitrary web scripts into the settings, targeting higher-privileged users such as administrators.

Proof of Concept

Affects Plugins

Plugin icon
lead-capturing-call-to-actions-by-vcita
Fixed in 2.7.1

References

CVE
CVE-2023-2302
URL
https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita
URL
https://plugins.trac.wordpress.org/browser/lead-capturing-call-to-actions-by-vcita/trunk/vcita-callback.php

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Jonas Höbenreich
Verified
No
WPVDB ID
16f8e54d-6cb6-45e1-a3bb-eb62fed9afbe

Timeline

Publicly Published
2023-06-02 (about 2 years ago)
Added
2023-06-04 (about 2 years ago)
Last Updated
2023-07-04 (about 2 years ago)

Other

Published
Title
Published
2025-12-05
Title
Ultra Skype Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_id' Shortcode Attribute
Published
2025-01-16
Title
FooGallery Captions <= 1.0.2 - Reflected Cross-Site Scripting
Published
2022-03-15
Title
Post Grid < 2.1.16 - Reflected Cross-Site Scripting via keyword
Published
2024-06-13
Title
Gutenberg Blocks by Kadence Blocks – Page Builder Features < 3.2.39 - Authenticated (Contributor+) Stored Cross-Site Scripting via titleFont Parameter
Published
2025-01-16
Title
Goo.gl Url Shorter <= 1.0.1 - Reflected Cross-Site Scripting