CVE-2024-4150

Name of the Vulnerable Software and Affected Versions Simple Basic Contact Form plugin for WordPress versions up to and including 20221201

Description The issue arises from insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts via the scf email parameter. This enables attackers to execute scripts on pages if they can trick a user into performing a specific action, such as clicking on a link.

Recommendations For versions up to and including 20221201, consider disabling the scf email parameter until a patch is available to prevent exploitation. Restrict access to the Simple Basic Contact Form plugin to minimize the risk of arbitrary web script injection. Avoid using the scf email parameter in affected pages until the issue is resolved.