CVE-2021-25080

Name of the Vulnerable Software and Affected Versions Contact Form Entries WordPress plugin versions prior to 1.1.7

Description The issue allows unauthenticated attackers to perform Cross-Site Scripting attacks against logged-in admins viewing the created entry. This is due to the plugin not validating, sanitizing, and escaping the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR.

Recommendations For versions prior to 1.1.7, update to version 1.1.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality for unauthenticated users until the update is applied.