CVE-2008-0197

Name of the Vulnerable Software and Affected Versions WP-ContactForm plugin for WordPress version 1.5 alpha and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters to the wp-admin/admin.php endpoint, including wpcf email, wpcf subject, wpcf question, wpcf answer, wpcf success msg, wpcf error msg, or wpcf msg. Additionally, the SRC attribute of an IFRAME element is vulnerable.

Recommendations For WP-ContactForm plugin for WordPress version 1.5 alpha and earlier, consider disabling the plugin until a patch is available to prevent exploitation. Restrict access to the wp-admin/admin.php endpoint to minimize the risk of exploitation. Avoid using the parameters wpcf email, wpcf subject, wpcf question, wpcf answer, wpcf success msg, wpcf error msg, or wpcf msg in the affected endpoint until the issue is resolved.