CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2200 – Contact Form by BestWebSoft <= 4.2.8 - Reflected Cross-Site Scripting via cntctfrm_contact_subject
https://notcve.org/view.php?id=CVE-2024-2200
The Contact Form by BestWebSoft plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘cntctfrm_contact_subject’ parameter in all versions up to, and including, 4.2.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. El complemento Contact Form de BestWebSoft para WordPress es vulnerable a Reflected Cross-Site Scripting a través del parámetro 'cntctfrm_contact_subject' en todas las versiones hasta la 4.2.8 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutan si logran engañar a un usuario para que realice una acción como hacer clic en un enlace. • https://github.com/0xkickit/iCUE_DllHijack_LPE-CVE-2024-22002 https://plugins.trac.wordpress.org/changeset/3047840/contact-form-plugin https://www.wordfence.com/threat-intel/vulnerabilities/id/28524702-3428-4fca-afe8-71b3f2dd983d?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2198 – Contact Form by BestWebSoft <= 4.2.8 - Reflected Cross-Site Scripting via cntctfrm_contact_address
https://notcve.org/view.php?id=CVE-2024-2198
The Contact Form by BestWebSoft plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘cntctfrm_contact_address’ parameter in all versions up to, and including, 4.2.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. El complemento Contact Form de BestWebSoft para WordPress es vulnerable a Reflected Cross-Site Scripting a través del parámetro 'cntctfrm_contact_address' en todas las versiones hasta la 4.2.8 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutan si logran engañar a un usuario para que realice una acción como hacer clic en un enlace. • https://plugins.trac.wordpress.org/changeset/3047840/contact-form-plugin https://www.wordfence.com/threat-intel/vulnerabilities/id/5eb66ca3-768e-4d8c-a0fa-74e78250aee3?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36508 – WordPress Contact Form to DB by BestWebSoft Plugin <= 1.7.1 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-36508
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BestWebSoft Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress contact-form-to-db allows SQL Injection.This issue affects Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress: from n/a through 1.7.1. Neutralización Inadecuada de Elementos Especiales utilizados en una vulnerabilidad de comando SQL ('Inyección SQL') en BestWebSoft Contact Form to DB por BestWebSoft – complemento Messages Database para WordPress contact-form-to-db permite la Inyección SQL. Este problema afecta a Contact Form to DB por BestWebSoft - complemento Messages Database para WordPress: desde n/a hasta la versión 1.7.1. The Contact Form to DB by BestWebSoft plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in versions up to, and including, 1.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/contact-form-to-db/wordpress-contact-form-to-db-by-bestwebsoft-plugin-1-7-1-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29096 – WordPress Contact Form to DB by BestWebSoft Plugin <= 1.7.0 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-29096
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BestWebSoft Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress.This issue affects Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress: from n/a through 1.7.0. Neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ('Inyección SQL') en BestWebSoft Contact Form to DB by BestWebSoft – Messages Database Plugin for WordPress. Este problema afecta a Contact Form to DB by BestWebSoft – Messages Database Plugin for WordPress: desde n /a hasta 1.7.0. The Contact Form to DB by BestWebSoft plugin for WordPress is vulnerable to SQL Injection via the cntctfrmtdb_department parameter in versions up to, and including, 1.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers , with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/contact-form-to-db/wordpress-contact-form-to-db-by-bestwebsoft-plugin-1-7-0-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2012-10010 – BestWebSoft Contact Form contact_form.php cntctfrm_settings_page cross-site request forgery
https://notcve.org/view.php?id=CVE-2012-10010
A vulnerability was found in BestWebSoft Contact Form 3.21. It has been classified as problematic. This affects the function cntctfrm_settings_page of the file contact_form.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. • https://github.com/wp-plugins/contact-form-plugin/commit/8398d96ff0fe45ec9267d7259961c2ef89ed8005 https://vuldb.com/?ctiid.225321 https://vuldb.com/?id.225321 • CWE-352: Cross-Site Request Forgery (CSRF) •