Contact Form With Captcha <= 1.6.2 Cross-Site Request Forgery to Reflected Cross-Site Scripting
CVE-2021-42358

8.8HIGH

Key Information:

Vendor
Wordpress
Status
Contact Form With Captcha
Vendor
CVE Published:
29 November 2021

Summary

The Contact Form With Captcha WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation in the ~/cfwc-form.php file during contact form submission, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 1.6.2.

Affected Version(s)

Contact Form With Captcha 1.6.2

References

https://plugins.trac.wordpress.org/browser/contact-form-w...
x_refsource_MISC
https://wordfence.com/vulnerability-advisories/#CVE-2021-...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yuga Futatsuki, Cryptography Laboratory in Tokyo Denki University
.