Stored Cross-Site Scripting Vulnerability in Contact Form & SMTP Plugin by PirateForms
CVE-2024-11272
Summary
The Contact Form & SMTP Plugin for WordPress by PirateForms prior to version 2.6.0 is susceptible to stored cross-site scripting attacks. The vulnerability arises due to the failure to properly sanitize and escape certain settings, allowing high-privilege users, such as administrators, to exploit the flaw. This issue can occur even when the unfiltered_html capability is disabled, posing a significant risk in environments such as multisite setups where security settings can vary.
Affected Version(s)
Contact Form & SMTP Plugin for WordPress by PirateForms 0 < 2.6.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved