Threat Entry Updated 2024-11-21

CVE-2023-5955 - Contact Form Email Plugin

The Contact Form Email WordPress plugin before 1.3.44 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Contact Form Email

CVE-2023-5955

MEDIUM CVSS 4.8 2023-12-11

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-2718 - Contact Form Email Plugin

The Contact Form Email WordPress plugin before 1.3.38 does not escape submitted values before displaying them in the HTML, leading to a Stored XSS vulnerability.

PLUGIN Contact Form Email

CVE-2023-2718

MEDIUM CVSS 5.4 2023-06-12

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-42361 - Contact Form Email Plugin

The Contact Form Email WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the name parameter found in the ~/trunk/cp-admin-int-list.inc.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.3.24. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

PLUGIN Contact Form Email

CVE-2021-42361

MEDIUM CVSS 4.8 2021-11-17

Risk Score

Open Full Technical Breakdown