Stored Cross-Site Scripting Vulnerability in Contact Form to Any API Plugin
CVE-2024-7617
6.1MEDIUM
Summary
The Contact Form to Any API plugin for WordPress has a vulnerability that allows for Stored Cross-Site Scripting. This issue arises from insufficient input sanitization and output escaping in Contact Form 7 form fields across all versions up to and including 1.2.2. Unauthenticated attackers can exploit this flaw to inject arbitrary web scripts into pages, potentially compromising user security. Users accessing the compromised pages may inadvertently execute these injected scripts, leading to unauthorized actions and data exposure.
References
CVSS V3.1
Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published