CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24777 – Hotscot Contact Form < 1.3 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-24777
The view submission functionality in the Hotscot Contact Form WordPress plugin before 1.3 makes a get request with the sub_id parameter which not sanitised, escaped or validated before inserting to a SQL statement, leading to an SQL injection. La funcionalidad view submission en el plugin Hotscot Contact Form de WordPress versiones anteriores a 1.3, hace una petición get con el parámetro sub_id que no está saneada, escapada o comprobada antes de insertarse en una sentencia SQL, conllevando a una inyección SQL • https://wpscan.com/vulnerability/2dfde2ef-1b33-4dc9-aa3e-02d319effb3a • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2021-24276 – Contact Form by Supsystic < 1.7.15 - Reflected Cross-Site scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24276
The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue El plugin de WordPress Contact Form by Supsystic versiones anteriores a 1.7.15, no saneaba el parámetro tab de su página options antes de generarlo en un atributo, conllevando a un problema de tipo Cross-Site Scripting reflejado WordPress Contact Form plugin version 1.7.14 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/50344 http://packetstormsecurity.com/files/164308/WordPress-Contact-Form-1.7.14-Cross-Site-Scripting.html https://wpscan.com/vulnerability/1301123c-5e63-432a-ab90-3221ca532d9c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 4CVE-2020-10385 – Contact Form by WPForms <= 1.5.8.2 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-10385
A stored cross-site scripting (XSS) vulnerability exists in the WPForms Contact Form (aka wpforms-lite) plugin before 1.5.9 for WordPress. Hay una vulnerabilidad de tipo cross-site scripting (XSS) almacenado en el plugin WPForms Contact Form (también se conoce como wpforms-lite) versiones anteriores a la versión 1.5.9 para WordPress. WordPress WPForms plugin version 1.5.8.2 suffers from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/48245 https://packetstormsecurity.com/files/156910/WordPress-WP-Forms-1.5.8.2-Cross-Site-Scripting.html https://wordpress.org/plugins/wpforms-lite/#developers https://wpvulndb.com/vulnerabilities/10114 https://www.getastra.com/blog/911/plugin-exploit/stored-xss-vulnerability-found-in-wpforms-plugin https://www.jinsonvarghese.com/stored-xss-vulnerability-found-in-wpforms-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10869 – Contact Form by BestWebSoft – Advanced Contact Us Form Builder for WordPress <= 4.0.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-10869
The contact-form-plugin plugin before 4.0.2 for WordPress has XSS. El complemento contact-form-plugin anterior de 4.0.2 para WordPress tiene XSS • https://wordpress.org/plugins/contact-form-plugin/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2019-25145 – Contact Form & SMTP Plugin by PirateForms <= 2.5.1 - Unauthenticated HTML injection
https://notcve.org/view.php?id=CVE-2019-25145
The Contact Form & SMTP Plugin by PirateForms plugin for WordPress is vulnerable to HTML injection in the ‘public/class-pirateforms-public.php’ file in versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary HTML in emails that could be used to phish unsuspecting victims. • https://blog.nintechnet.com/html-injection-vulnerability-in-wordpress-pirate-forms-plugin https://www.wordfence.com/threat-intel/vulnerabilities/id/9e34c3f6-cc84-4e45-9948-6f7fd5cba8cd?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •