CVE-2021-24168

CVE-2021-24168: Easy Contact Form Pro < 1.1.1.9 - Authenticated Stored Cross-Site Scripting (XSS)

Vendor Unknown
Product Easy Contact Form Pro
Weakness CWE-79 · XSS
Published April 5, 2021
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not properly sanitise the text fields (such as Email Subject, Email Recipient, etc) when creating or editing a form, leading to an authenticated (author+) stored cross-site scripting issue. This could allow medium privilege accounts (such as author and editor) to perform XSS attacks against high privilege ones like administrator.

Key dates

02Disclosure timeline

April 5, 2021 CVE published
August 3, 2024 Record updated