Everest Forms < 1.8.0 - Reflected Cross-Site Scripting
CVE-2021-24907

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Contact Form, Drag And Drop Form Builder For WordPress – Everest Forms
Vendor: CVE Published:; 21 December 2021

Summary

The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

Affected Version(s)

Contact Form, Drag and Drop Form Builder for WordPress – Everest Forms 1.8.0

References

https://wpscan.com/vulnerability/56dae1ae-d5d2-45d3-8991-...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 21, 2021
Vulnerability Reserved
Jan 14, 2021

Credit

JrXnm