WordPress Plugin Vulnerabilities

Contact Form Email <= 1.2.65 - Multiple Cross-Site Scripting (XSS) & CSRF

Description

The Contact Form Email WordPress plugin was affected by a Multiple Cross-Site Scripting (XSS) & CSRF security vulnerability.

Proof of Concept

Affects Plugins

Plugin icon
contact-form-to-email
Fixed in 1.2.66

References

CVE
CVE-2019-9646
CVE
CVE-2018-20964
CVE
CVE-2018-20963
URL
https://lists.openwall.net/full-disclosure/2019/02/05/7
URL
https://security-consulting.icu/blog/2019/02/wordpress-contact-form-email-xss-csrf/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Tim Coen
Submitter
Ryan Dewhurst
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
ab7d048a-3e4f-4e89-b1b7-8d9a8c09f0d7

Timeline

Publicly Published
2019-02-05 (about 7 years ago)
Added
2019-03-11 (about 7 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2024-11-08
Title
Cowidgets – Elementor Addons <= 1.2.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Published
2014-05-28
Title
Easy Post Types < 1.4.4 - XSS
Published
2026-03-22
Title
Post Expirator < 4.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-24
Title
Floating Social Bar <= 1.1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-01-16
Title
Nite Shortcodes <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting