The vulnerable software is the Contact Form Master WordPress plugin, with versions up to 1.0.7 being affected.

The vulnerability is a Reflected Cross-Site Scripting (XSS) vulnerability, which occurs because the plugin does not sanitize and escape a parameter before outputting it back in the page.

This could be used against high privilege users, such as admins.

There is a public reference to this vulnerability, identified as CVE-2024-12587.

No information is provided about whether this vulnerability has been exploited by attackers or the number of Internet users that can be affected.

The vulnerability can be exploited by manipulating a parameter that is not properly sanitized and escaped by the plugin, allowing an attacker to inject malicious code into the page.

#CVE-2024-12587 #ContactFormMaster #WordPressPlugin #ReflectedXSS #CrossSiteScripting