CVE-2022-0248 Contact Form Submissions < 1.7.3 - Unauthenticated Stored XSS

2022-03-1414:41:25

CWE-79

WPScan

www.cve.org

0.001 Low

EPSS

Percentile

31.6%

JSON

The Contact Form Submissions WordPress plugin before 1.7.3 does not sanitise and escape additional fields in contact form requests before outputting them in the related submission. As a result, unauthenticated attacker could perform Cross-Site Scripting attacks against admins viewing the malicious submission

CNA Affected

[
  {
    "product": "Contact Form Submissions",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "1.7.3",
        "status": "affected",
        "version": "1.7.3",
        "versionType": "custom"
      }
    ]
  }
]