CVE-2021-24159

CVE-2021-24159: Contact Form 7 Style <= 3.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Vendor Unknown
Product Contact Form 7 Style
Weakness CWE-352 · CSRF
Published April 5, 2021
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript.

Key dates

02Disclosure timeline

April 5, 2021 CVE published
August 3, 2024 Record updated