CVE-2021-42361

Name of the Vulnerable Software and Affected Versions Contact Form Email WordPress plugin versions up to and including 1.3.24

Description The issue arises from insufficient input validation and escaping via the name parameter in the ~/trunk/cp-admin-int-list.inc.php file, allowing attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where unfiltered html is disabled for administrators, and sites where unfiltered html is disabled.

Recommendations For versions up to and including 1.3.24, update to a version that includes the necessary input validation and escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the name parameter in the affected file until a patch is available. Additionally, review and adjust the unfiltered html settings for administrators to minimize the risk of exploitation.