WordPress Plugin Vulnerabilities

Track Geolocation Of Users Using Contact Form 7 < 2.1 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Affects Plugins

Plugin icon
track-geolocation-of-users-using-contact-form-7
Fixed in 2.1

References

CVE
CVE-2023-49188
URL
https://patchstack.com/database/vulnerability/track-geolocation-of-users-using-contact-form-7/wordpress-track-geolocation-of-users-using-contact-form-7-plugin-1-4-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
DoYeon Park (p6rkdoye0n)
Verified
No
WPVDB ID
da5ea560-816a-43b4-98f6-4b2d7e36e631

Timeline

Publicly Published
2023-11-29 (about 2 years ago)
Added
2023-12-08 (about 2 years ago)
Last Updated
2024-08-13 (about 1 year ago)

Other

Published
Title
Published
2024-08-01
Title
LiquidPoll – Advanced Polls for Creators and Brands < 3.3.78 - Unauthenticated Stored Cross-Site Scripting
Published
2021-11-15
Title
Flex Local Fonts <= 1.0.0 - Admin+ Stored Cross-Site-Scripting
Published
2025-01-16
Title
LH Login Page <= 2.14 - Reflected Cross-Site Scripting
Published
2023-11-03
Title
Gift Up Gift Cards for WordPress and WooCommerce < 2.20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2025-06-03
Title
Staff Directory – Employee Directory for WordPress < 4.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting