Stored Cross-Site Scripting Vulnerability in WordPress Forms Plugin by Contact Form 7
CVE-2024-3715

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Database For Contact Form 7, WPforms, Elementor Forms
Vendor: CVE Published:; 2 May 2024

Summary

The Database for Contact Form 7, WPforms, and Elementor forms plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability. This flaw arises from inadequate input sanitization and output escaping mechanisms present in all versions up to and inclusive of 1.3.8. Unauthenticated attackers can exploit this vulnerability to inject arbitrary web scripts, which may then execute whenever users access infected pages. This poses significant risks, especially for websites utilizing these plugins, as it could lead to unauthorized actions or the compromise of user data.

Affected Version(s)

Database for Contact Form 7, WPforms, Elementor forms * <= 1.3.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
May 2, 2024
Vulnerability Reserved
Apr 12, 2024

Credit

Tim Coen