PT-2021-15679 · WordPress · Constant Contact Forms
Nguyen Anh Tien
·
Published
2021-03-18
·
Updated
2021-03-24
·
CVE-2021-24134
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
Constant Contact Forms WordPress plugin versions prior to 1.8.8
Description:
The issue is caused by unvalidated input and a lack of output encoding in the Constant Contact Forms WordPress plugin, leading to multiple Stored Cross-Site Scripting vulnerabilities. This allows a high-privileged user, such as an Editor or higher, to inject arbitrary JavaScript code or HTML in posts where the malicious form is embedded.
Recommendations:
For versions prior to 1.8.8, update to version 1.8.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Constant Contact Forms WordPress plugin until a patch is applied, or limit the privileges of users who can embed forms to prevent potential exploitation.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Constant Contact Forms