EPSS
Percentile
17.5%
The plugin does not sanitize and escape the vx-entries shortcode attributes before using them, which could allow a logged in user with roles as low as contributor to inject arbitrary web scripts into posts or pages.
patchstack.com/database/vulnerability/contact-form-entries/wordpress-contact-form-entries-plugin-1-3-0-cross-site-scripting-xss-vulnerability