Gaetano Perrone

**Name of the Vulnerable Software and Affected Versions** Contact Form Entries WordPress plugin versions prior to 1.2.4 **Description** The issue concerns the Contact Form Entries WordPress plugin, which does not properly sanitise and escape various parameters, including `form id`, `status`, `end date`, `order`, `orderby`, and `search`, before outputting them back in the admin page. This lack of sanitisation and escaping can lead to potential security issues. **Recommendations** For versions prior to 1.2.4, update to version 1.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin page or limiting the use of the affected parameters until a patch is applied. Avoid using the parameters `form id`, `status`, `end date`, `order`, `orderby`, and `search` in the admin page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Contact Form Entries WordPress plugin versions prior to 1.1.7 **Description** The issue allows unauthenticated attackers to perform Cross-Site Scripting attacks against logged-in admins viewing the created entry. This is due to the plugin not validating, sanitizing, and escaping the IP address retrieved via headers such as `CLIENT-IP` and `X-FORWARDED-FOR`. **Recommendations** For versions prior to 1.1.7, update to version 1.1.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality for unauthenticated users until the update is applied.