PT-2022-9635 · WordPress · Contact Form Entries
Gaetano Perrone
·
Published
2022-01-07
·
Updated
2022-01-28
·
CVE-2021-25079
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Contact Form Entries WordPress plugin versions prior to 1.2.4
Description
The issue concerns the Contact Form Entries WordPress plugin, which does not properly sanitise and escape various parameters, including
form id, status, end date, order, orderby, and search, before outputting them back in the admin page. This lack of sanitisation and escaping can lead to potential security issues.Recommendations
For versions prior to 1.2.4, update to version 1.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin page or limiting the use of the affected parameters until a patch is applied. Avoid using the parameters
form id, status, end date, order, orderby, and search in the admin page until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Contact Form Entries