WordPress Plugin Vulnerabilities

Contact Form Email < 1.3.25 - Admin+ Stored Cross-Site Scripting

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the name parameter found in the ~/trunk/cp-admin-int-list.inc.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This only affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Affects Plugins

Plugin icon
contact-form-to-email
Fixed in 1.3.25

References

CVE
CVE-2021-42361
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-42361

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Mohammed Aadhil Ashfaq
Verified
No
WPVDB ID
90d6b82d-6e92-461d-9691-f228839df8ad

Timeline

Publicly Published
2021-11-11 (about 4 years ago)
Added
2021-11-11 (about 4 years ago)
Last Updated
2022-04-09 (about 3 years ago)

Other

Published
Title
Published
2024-05-29
Title
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) < 2.7.20 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Published
2025-02-24
Title
Contact Form 7 Star Rating with font Awesome <= 1.3 - Authenticated (Editor+) Stored Cross-Site Scripting
Published
2023-10-17
Title
WOLF < 1.0.7.2 - Admin+ Stored XSS
Published
2025-04-09
Title
ABA PayWay Payment Gateway for WooCommerce < 2.1.5 - Reflected XSS
Published
2025-01-30
Title
WP Dispensary <= 4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting