WordPress · Easy Contact Form Pro · CVE-2021-24168
Name of the Vulnerable Software and Affected Versions:
Easy Contact Form Pro WordPress plugin versions prior to 1.1.1.9
Description:
The issue arises from the improper sanitization of text fields, such as Email Subject and Email Recipient, when creating or editing a form. This leads to an authenticated stored cross-site scripting issue, allowing medium privilege accounts, like authors and editors, to perform XSS attacks against high privilege ones, such as administrators.
Recommendations:
For versions prior to 1.1.1.9, update to version 1.1.1.9 or later to resolve the issue. As a temporary workaround, consider restricting access to form creation and editing features to high privilege accounts only, until the update can be applied.