Vulnerabilities > CVE-2021-25080 - Unspecified vulnerability in Crmperks Contact Form Entries

CVSS 6.1 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

crmperks

NVD

Published: 2022-01-24

Updated: 2024-11-21

Summary

The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry

Vulnerable Configurations

Part	Description	Count
Application	Crmperks Crmperks Contact Form Entries *	1

References

https://plugins.trac.wordpress.org/changeset/2450335
https://plugins.trac.wordpress.org/changeset/2450335
https://wpscan.com/vulnerability/acd3d98a-aab8-49be-b77e-e8c6ede171ac
https://wpscan.com/vulnerability/acd3d98a-aab8-49be-b77e-e8c6ede171ac