WordPress Plugin Vulnerabilities

Contact Form Entries < 1.1.7 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry

Proof of Concept

Affects Plugins

Plugin icon
contact-form-entries
Fixed in 1.1.7

References

CVE
CVE-2021-25080
Exploitdb
50617
URL
https://secsi.io/blog/cve-2021-25080-finding-cross-site-scripting-vulnerabilities-in-headers/
URL
https://plugins.trac.wordpress.org/changeset/2450335

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Gaetano Perrone
Submitter
Gaetano Perrone
Verified
Yes
WPVDB ID
acd3d98a-aab8-49be-b77e-e8c6ede171ac

Timeline

Publicly Published
2021-01-05 (about 5 years ago)
Added
2021-12-22 (about 4 years ago)
Last Updated
2022-04-16 (about 3 years ago)

Other

Published
Title
Published
2019-12-13
Title
WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links
Published
2024-12-13
Title
Smart PopUp Blaster <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-09-30
Title
ElementInvader Addons for Elementor < 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-04-01
Title
Page Restriction WordPress < 1.2.7 - Admin+ Stored Cross-Site Scripting
Published
2024-11-08
Title
WP Listings Pro <= 3.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting