WordPress Contact Form Builder, Contact Widget Plugin <= 2.1.6 is vulnerable to Cross Site Scripting (XSS)
CVE-2023-46075

7.1HIGH

Key Information:

Vendor: WordPress
Status: Contact Form Builder, Contact Widget
Vendor: CVE Published:; 26 October 2023

Summary

A reflected cross-site scripting (XSS) vulnerability exists in the WPDevArt Contact Form Builder, Contact Widget plugin for WordPress, specifically in versions 2.1.6 and earlier. This vulnerability allows an attacker to inject malicious scripts into user responses, which may then be executed in the context of an unsuspecting user's browser. Successful exploitation could lead to sensitive data capture or session hijacking, compelling users to exercise caution when interacting with contact forms.

Affected Version(s)

Contact Form Builder, Contact Widget <= 2.1.6

References

https://patchstack.com/database/vulnerability/contact-for...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 26, 2023
Vulnerability Reserved
Oct 16, 2023

Credit

LEE SE HYOUNG (Patchstack Alliance)