Reflected Cross-Site Scripting in Contact Form 7 Redirect & Thank You Page for WordPress
CVE-2024-12423

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Contact Form 7 Redirect & Thank You Page
Vendor: CVE Published:; 15 January 2025

Summary

The Contact Form 7 Redirect & Thank You Page plugin for WordPress presents a vulnerability that allows unauthenticated attackers to perform Reflected Cross-Site Scripting. This arises from inadequate input sanitization and output escaping in the 'post' parameter, vulnerable in all versions up to and including 1.0.7. If attackers manage to persuade users to interact with malicious links, they may successfully inject arbitrary web scripts that execute within the user's browser context, potentially compromising their session and gaining access to sensitive information.

Affected Version(s)

Contact Form 7 Redirect & Thank You Page * <= 1.0.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/cf7-redirect-t...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 15, 2025
Vulnerability Reserved
Dec 10, 2024

Credit

Dale Mavers