Stored Cross-Site Scripting Vulnerability in Contact Form Builder by vcita for WordPress
CVE-2023-2300

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Contact Form Builder by vcita
Vendor: CVE Published:; 3 June 2023

Summary

The Contact Form Builder by vcita plugin for WordPress has a vulnerability that allows authenticated users with sufficient privileges to inject malicious scripts through the 'email' parameter. This vulnerability arises from inadequate input sanitization and output escaping, permitting attackers to execute unauthorized web scripts on pages viewed by other users. Attackers with the edit_posts capability, including contributors and above, could leverage this flaw to compromise the integrity of pages using the plugin and potentially gain unauthorized access to sensitive user data.

Affected Version(s)

Contact Form Builder by vcita * <= 4.9.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/contact-form-w...

https://blog.jonh.eu/blog/security-vulnerabilities-in-wor...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 3, 2023
Vulnerability Reserved
Apr 26, 2023

Credit

Jonas Höbenreich