1. Home
  2. CVE Database
  3. CVE-2021-24168
MEDIUM · 5.4

CVE-2021-24168

The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not properly sanitise the text fields (such as Email Subject, Email Recipient, etc) when creating or editing a form, leading to an authent...

Vulnerability Description

The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not properly sanitise the text fields (such as Email Subject, Email Recipient, etc) when creating or editing a form, leading to an authenticated (author+) stored cross-site scripting issue. This could allow medium privilege accounts (such as author and editor) to perform XSS attacks against high privilege ones like administrator.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
Easy Contact Form Pro ProjectEasy Contact Form Pro< 1.1.1.9

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2021-24168?

CVE-2021-24168 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not properly sanitise the text fields (such as Email Subject, Email Recipient, etc) when creating or editing a form, leading to an authent...

How severe is CVE-2021-24168?

CVE-2021-24168 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-24168?

Check the references section above for vendor advisories and patch information. Affected products include: Easy Contact Form Pro Project Easy Contact Form Pro.