Contact Forms by Cimatti < 1.5.5 – Unauthenticated Stored XSS | CVE 2023-28781

Affects Plugins

contact-forms

Fixed in 1.5.5

References

CVE

CVE-2023-28781

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

8.8 (high)

Miscellaneous

Original Researcher

thiennv

Verified

No

WPVDB ID

3e971d5a-2432-4daf-a3a9-891fefd0cd6c

Timeline

Publicly Published

2023-03-27 (about 3 years ago)

Added

2023-04-10 (about 3 years ago)

Last Updated

2023-04-10 (about 3 years ago)

Other

Published

Title

Published

2024-10-03

Title

Easy Demo Importer – A Modern One-Click Demo Import Solution < 1.1.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Published

2014-08-01

Title

Booking System - Reflected Cross-Site Scripting (XSS)

Published

2023-03-27

Title

Contact Forms by Cimatti < 1.5.5 - Reflected XSS

Published

2018-05-14

Title

WP ULike <= 3.1 - Unauthenticated Stored XSS

Published

2025-02-20

Title

3D Photo Gallery <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting