Contact Form 7 Database Addon < 1.2.6.2 – Unauthenticated Stored Cross-Site Scripting | CVE 2021-36885

Affects Plugins

contact-form-cfdb7

Fixed in 1.2.6.2

References

CVE

CVE-2021-36885

URL

https://plugins.trac.wordpress.org/changeset/2628652

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.1 (medium)

Miscellaneous

Original Researcher

Ex.Mi

Verified

No

WPVDB ID

6adc8b6d-fbcd-44e4-9738-305146159c3e

Timeline

Publicly Published

2021-11-12 (about 4 years ago)

Added

2021-12-22 (about 4 years ago)

Last Updated

2022-04-16 (about 4 years ago)

Other

Published

Title

Published

2024-04-10

Title

F4 Improvements < 1.8.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2025-09-25

Title

Widgets for Tiktok Feed < 1.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2017-12-19

Title

WP Site Protect 1.0 - Cross-Site Scripting (XSS)

Published

2025-12-11

Title

GPXpress <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Published

2024-10-08

Title

Auto iFrame < 1.8 - Authenticated (Author+) Stored Cross-Site Scripting via tag Parameter