WordPress Plugin Vulnerabilities

Constant Contact Forms by MailMunch < 2.1.0 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting via an unknown parameter due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
constant-contact-forms-by-mailmunch
Fixed in 2.1.0

References

CVE
CVE-2024-22137
URL
https://patchstack.com/database/vulnerability/constant-contact-forms-by-mailmunch/wordpress-constant-contact-forms-by-mailmunch-plugin-2-0-11-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Abu Hurayra (HurayraIIT)
Verified
No
WPVDB ID
88affeeb-b8af-4c13-83d3-706fcb50f28b

Timeline

Publicly Published
2024-01-10 (about 2 years ago)
Added
2024-01-18 (about 2 years ago)
Last Updated
2024-04-22 (about 2 years ago)

Other

Published
Title
Published
2025-01-16
Title
Giveaways and Contests by PromoSimple <= 1.24 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-01-13
Title
LinkedIn SC <= 1.1.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Page
Published
2023-12-27
Title
Easy Digital Downloads < 3.2.6 - Contributor+ Stored XSS
Published
2014-11-11
Title
WordPress Video Player < 1.5.2 - Multiple Cross-Site Scripting (XSS)
Published
2024-10-01
Title
YML for Yandex Market < 4.7.3 - Reflected Cross-Site Scripting