exploitDog

CVE-2021-24168

Опубликовано: 05 апр. 2021

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not properly sanitise the text fields (such as Email Subject, Email Recipient, etc) when creating or editing a form, leading to an authenticated (author+) stored cross-site scripting issue. This could allow medium privilege accounts (such as author and editor) to perform XSS attacks against high privilege ones like administrator.

Ссылки

https://wpscan.com/vulnerability/bfaa7d79-904e-45f1-bc42-ddd90a65ce74
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/bfaa7d79-904e-45f1-bc42-ddd90a65ce74
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:easy_contact_form_pro_project:easy_contact_form_pro:*:*:*:*:*:wordpress:*:*

Версия до 1.1.1.9 (исключая)

EPSS

Процентиль: 56%

0.00332

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

CWE-79

Связанные уязвимости

GHSA-3jhh-8pq8-rfch

github

больше 3 лет назад

The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not properly sanitise the text fields (such as Email Subject, Email Recipient, etc) when creating or editing a form, leading to an authenticated (author+) stored cross-site scripting issue. This could allow medium privilege accounts (such as author and editor) to perform XSS attacks against high privilege ones like administrator.

EPSS

Процентиль: 56%

0.00332

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

CWE-79