Vulnerability Description
The Contact Form Submissions WordPress plugin before 1.7.3 does not sanitise and escape additional fields in contact form requests before outputting them in the related submission. As a result, unauthenticated attacker could perform Cross-Site Scripting attacks against admins viewing the malicious submission
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Contact Form Submissions Project | Contact Form Submissions | < 1.7.3 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/2682024PatchThird Party Advisory
- https://wpscan.com/vulnerability/d02cf542-2d75-46bc-a0df-67bbe501cc89ExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/2682024PatchThird Party Advisory
- https://wpscan.com/vulnerability/d02cf542-2d75-46bc-a0df-67bbe501cc89ExploitThird Party Advisory
FAQ
What is CVE-2022-0248?
CVE-2022-0248 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The Contact Form Submissions WordPress plugin before 1.7.3 does not sanitise and escape additional fields in contact form requests before outputting them in the related submission. As a result, unauth...
How severe is CVE-2022-0248?
CVE-2022-0248 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-0248?
Check the references section above for vendor advisories and patch information. Affected products include: Contact Form Submissions Project Contact Form Submissions.