WordPress Contact Form Builder, Contact Widget Plugin <= 2.1.6 is vulnerable to Cross Site Scripting (XSS)
CVE-2023-46075

7.1HIGH

Key Information:

Vendor

WordPress
Status
Contact Form Builder, Contact Widget
Vendor
CVE Published:
26 October 2023

What is CVE-2023-46075?

A reflected cross-site scripting (XSS) vulnerability exists in the WPDevArt Contact Form Builder, Contact Widget plugin for WordPress, specifically in versions 2.1.6 and earlier. This vulnerability allows an attacker to inject malicious scripts into user responses, which may then be executed in the context of an unsuspecting user's browser. Successful exploitation could lead to sensitive data capture or session hijacking, compelling users to exercise caution when interacting with contact forms.

Affected Version(s)

Contact Form Builder, Contact Widget <= 2.1.6

References

https://patchstack.com/database/vulnerability/contact-for...
vdb-entry

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

LEE SE HYOUNG (Patchstack Alliance)
.
CVE-2023-46075 : WordPress Contact Form Builder, Contact Widget Plugin <= 2.1.6 is vulnerable to Cross Site Scripting (XSS)