CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2187 – Contact Form 7 Captcha < 0.1.2 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2187
27 Jun 2022 — The Contact Form 7 Captcha WordPress plugin before 0.1.2 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers El plugin Contact Form 7 Captcha de WordPress versiones anteriores a 0.1.2, no escapa del parámetro $_SERVER["REQUEST_URI"] antes de devolverlo en un atributo, lo que podría conllevar a un ataque de tipo Cross-Site Scripting reflejado en navegadores antiguos • https://wpscan.com/vulnerability/4fd2f1ef-39c6-4425-8b4d-1a332dabac8d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24565 – Contact Form 7 Captcha < 0.0.9 - CSRF to Stored XSS
https://notcve.org/view.php?id=CVE-2021-24565
26 Jul 2021 — The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue. El plugin Contact Form 7 Captcha WordPress versiones anteriores a 0.0.9, no presenta ninguna comprobación de tipo CSRF cuando guarda su configuración, permitiendo a un atacante hacer a un usuari... • https://plugins.trac.wordpress.org/changeset/2570402 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •