Cross-Site Scripting in Contact Form Email Plugin for WordPress by WordPress
CVE-2019-9646

6.1MEDIUM

Key Information:

Vendor
Wordpress
Status
Contact Form Email
Vendor
CVE Published:
10 March 2019

Summary

The Contact Form Email plugin for WordPress prior to version 1.2.66 is susceptible to cross-site scripting (XSS) attacks, particularly through wp-admin/admin.php. This vulnerability can be exploited via the 'custom edition area' in the cp_admin_int_edition.inc.php file, enabling unauthorized users to inject malicious scripts. It highlights the importance of timely updates and security measures to protect against potential attacks.

References

https://lists.openwall.net/full-disclosure/2019/02/05/7
x_refsource_MISC
https://security-consulting.icu/blog/2019/02/wordpress-co...
x_refsource_MISC
https://wordpress.org/plugins/contact-form-to-email/#deve...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability Reserved

  • Vulnerability published

.