Vulnerabilities > CVE-2021-42361 - Unspecified vulnerability in Codepeople Contact Form Email
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The Contact Form Email WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the name parameter found in the ~/trunk/cp-admin-int-list.inc.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.3.24. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
Vulnerable Configurations
References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2628041%40contact-form-to-email&new=2628041%40contact-form-to-email&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2628041%40contact-form-to-email&new=2628041%40contact-form-to-email&sfp_email=&sfph_mail=
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-42361
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-42361