WordPress Contact Form Generator Plugin <= 2.5.5 is vulnerable to Cross Site Scripting (XSS)
CVE-2023-37988

7.1HIGH

Key Information:

Vendor: WordPress
Status: Contact Form Generator
Vendor: CVE Published:; 10 August 2023

What is CVE-2023-37988?

An unauthenticated reflected Cross-Site Scripting (XSS) vulnerability affects the Creative Solutions Contact Form Generator plugin versions up to 2.5.5. This flaw allows attackers to inject malicious scripts into the website, potentially leading to data theft or unauthorized actions executed in the context of the user’s browser. Users of the affected plugin are advised to update to a secure version to mitigate the risks associated with this vulnerability.

Affected Version(s)

Contact Form Generator <= 2.5.5

References

https://patchstack.com/database/vulnerability/contact-for...

vdb-entry

http://packetstormsecurity.com/files/174896/WordPress-Con...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 10, 2023
Vulnerability Reserved
Jul 11, 2023

Credit

Arvandy (Patchstack Alliance)