WordPress Plugin Vulnerabilities

Contact Form Submissions < 1.7.3 - Unauthenticated Stored XSS

Description

The plugin does not sanitise and escape additional fields in contact form requests before outputting them in the related submission. As a result, unauthenticated attacker could perform Cross-Site Scripting attacks against admins viewing the malicious submission

Proof of Concept

Affects Plugins

Plugin icon
contact-form-submissions
Fixed in 1.7.3

References

CVE
CVE-2022-0248
URL
https://plugins.trac.wordpress.org/changeset/2682024

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Yoru Oni
Submitter
Yoru Oni
Verified
Yes
WPVDB ID
d02cf542-2d75-46bc-a0df-67bbe501cc89

Timeline

Publicly Published
2022-02-21 (about 3 years ago)
Added
2022-02-21 (about 3 years ago)
Last Updated
2022-04-16 (about 3 years ago)

Other

Published
Title
Published
2025-09-22
Title
VoucherPress <= 1.5.7 - Authenticated (Author+) Stored Cross-Site Scripting
Published
2025-03-04
Title
Hero Mega Menu - Responsive WordPress Menu Plugin <= 1.16.5 - Reflected Cross-Site Scripting
Published
2024-12-30
Title
Post Grid Elementor Addon < 2.0.19 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-02-23
Title
Photo Gallery by 10web < 1.5.69 - Reflected Cross-Site Scripting (XSS)
Published
2025-09-12
Title
ListingPro < 2.9.10 - Reflected Cross-Site Scripting