Reflected Cross-Site Scripting in Contact Form Master Plugin for WordPress
CVE-2024-12587
Key Information:
- Vendor
- Wordpress
- Status
- Vendor
- CVE Published:
- 11 January 2025
Badges
Summary
The Contact Form Master plugin for WordPress, up to version 1.0.7, is susceptible to a reflected cross-site scripting (XSS) vulnerability. This flaw arises due to the plugin's failure to properly sanitize and escape user-input parameters before rendering them on the web page. As a result, an attacker could craft a malicious URL that exploits this vulnerability, potentially targeting users, particularly those with high privileges like administrators. If such a user interacts with the manipulated URL, it can lead to the execution of arbitrary scripts in the context of their session, posing substantial security risks.
Affected Version(s)
Contact Form Master 0 <= 1.0.7
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved