CVE-2021-25080: Contact Form Entries < 1.1.7 - Unauthenticated Stored Cross-Site Scripting
First published: Mon Jan 24 2022(Updated: )
The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Crmperks Contact Form Entries | <1.1.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2021-25080.
What is the severity level of CVE-2021-25080?
The severity level of CVE-2021-25080 is medium.
How can an attacker exploit CVE-2021-25080?
An attacker can exploit CVE-2021-25080 by performing Cross-Site Scripting (XSS) attacks against logged in admins viewing the created entry.
Is authentication required for an attacker to exploit CVE-2021-25080?
No, authentication is not required for an attacker to exploit CVE-2021-25080.
Is there a fix available for CVE-2021-25080?
Yes, the Contact Form Entries WordPress plugin has released version 1.1.7 which fixes the vulnerability.
- collector/nvd-index
- agent/type
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- agent/title
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/event
- agent/description
- agent/first-publish-date
- agent/tags
- agent/source
- vendor/crmperks
- canonical/crmperks contact form entries