CVE-2015-4010

Name of the Vulnerable Software and Affected Versions Encrypted Contact Form plugin versions prior to 1.1

Description A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks. This is achieved via the iframe url parameter in an Update Page action in the conformconf page to "wp-admin/options-general.php".

Recommendations For Encrypted Contact Form plugin versions prior to 1.1, update to version 1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the conformconf page and the wp-admin/options-general.php endpoint to minimize the risk of exploitation. Avoid using the iframe url parameter in the affected Update Page action until the issue is resolved.