CVE-2021-24744: WordPress Contact Forms by Cimatti < 1.4.12 - Admin+ Stored Cross-Site Scripting
First published: Mon Oct 25 2021(Updated: )
The WordPress Contact Forms by Cimatti WordPress plugin before 1.4.12 does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cimatti WordPress Contact Forms | <1.4.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for this WordPress plugin vulnerability?
The vulnerability ID for this WordPress plugin vulnerability is CVE-2021-24744.
What is the severity level of CVE-2021-24744?
CVE-2021-24744 has a severity level of medium (4.8).
What is the affected software for CVE-2021-24744?
The affected software for CVE-2021-24744 is the WordPress Contact Forms plugin by Cimatti version up to (exclusive) 1.4.12.
What is the impact of CVE-2021-24744?
CVE-2021-24744 can allow high privilege users to perform Cross-Site Scripting (XSS) attacks, even when the unfiltered_html is disallowed.
How can I fix CVE-2021-24744?
To fix CVE-2021-24744, update the WordPress Contact Forms plugin to version 1.4.12 or later.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/title
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/cimatti
- canonical/cimatti wordpress contact forms