WordPress Plugin Vulnerabilities

Contact Form Entries < 1.3.1 - Contributor+ Stored XSS

Description

The plugin does not sanitize and escape the vx-entries shortcode attributes before using them, which could allow a logged in user with roles as low as contributor to inject arbitrary web scripts into posts or pages.

Affects Plugins

Plugin icon
contact-form-entries
Fixed in 1.3.1

References

CVE
CVE-2023-33311
URL
https://patchstack.com/database/vulnerability/contact-form-entries/wordpress-contact-form-entries-plugin-1-3-0-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
5a10e929-4a57-431e-856f-5c5e81e42ec8

Timeline

Publicly Published
2023-05-22 (about 2 years ago)
Added
2023-05-30 (about 2 years ago)
Last Updated
2023-05-30 (about 2 years ago)

Other

Published
Title
Published
2023-10-03
Title
Instagram for WordPress <= 2.1.6 - Contributor+ Stored XSS
Published
2024-09-30
Title
Broken Link Checker < 2.4.1 - Reflected XSS
Published
2022-07-04
Title
WP Video Lightbox < 1.9.6 - Admin+ Stored Cross-Site Scripting
Published
2025-11-04
Title
Booking Manager < 2.1.18 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-10-22
Title
RSS Feed Widget < 3.0.1 - Reflected XSS