CVE-2021-24134: XSS
First published: Thu Mar 18 2021(Updated: )
Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user (Editor+) to inject arbitrary JavaScript code or HTML in posts where the malicious form is embed.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Constant Contact Forms | <1.8.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2021-24134?
CVE-2021-24134 is considered a critical vulnerability due to its potential for stored cross-site scripting attacks.
How do I fix CVE-2021-24134?
To fix CVE-2021-24134, update the Constant Contact Forms WordPress plugin to version 1.8.8 or later.
Who is affected by CVE-2021-24134?
CVE-2021-24134 affects high-privileged users, particularly those with Editor or greater roles in the Constant Contact Forms WordPress plugin.
What kind of attacks can be executed due to CVE-2021-24134?
CVE-2021-24134 allows attackers to inject arbitrary JavaScript code or HTML into posts, leading to potential data theft or user session hijacking.
What versions of the Constant Contact Forms plugin are vulnerable to CVE-2021-24134?
Versions of the Constant Contact Forms plugin before 1.8.8 are vulnerable to CVE-2021-24134.
- agent/severity
- agent/author
- agent/references
- agent/weakness
- agent/tags
- agent/type
- agent/event
- agent/description
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/constantcontact
- canonical/constant contact forms