CVE-2024-31302 – WordPress Contact Form Email plugin <= 1.3.44 - Sensitive Data Exposure vulnerability
https://notcve.org/view.php?id=CVE-2024-31302
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in CodePeople Contact Form Email.This issue affects Contact Form Email: from n/a through 1.3.44. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en CodePeople Contact Form Email. Este problema afecta el correo electrónico del formulario de contacto: desde n/a hasta 1.3.44. The Contact Form Email plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.44 via log files. This makes it possible for unauthenticated attackers to extract sensitive data from log files. • https://patchstack.com/database/vulnerability/contact-form-to-email/wordpress-contact-form-email-plugin-1-3-44-sensitive-data-exposure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-5955 – Contact Form Email < 1.3.44 - Editor+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-5955
The Contact Form Email WordPress plugin before 1.3.44 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) El complemento Contact Form Email de WordPress anterior a 1.3.44 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenados incluso cuando la capacidad unfiltered_html no está permitida (por ejemplo, en configuración multisitio). The Contact Form Email plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.43 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/1b5fce7e-14fc-4548-8747-96fdd58fdd98 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-2718 – Contact Form Email < 1.3.38 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-2718
The Contact Form Email WordPress plugin before 1.3.38 does not escape submitted values before displaying them in the HTML, leading to a Stored XSS vulnerability. The Contact Form Email plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Message' field in versions up to, and including, 1.3.37 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/8ad824a6-2d49-4f02-8252-393c59aa9705 https://www.onvio.nl/nieuws/research-day-discovering-vulnerabilities-in-wordpress-plugins • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-42361 – Contact Form Email <= 1.3.24 Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-42361
The Contact Form Email WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the name parameter found in the ~/trunk/cp-admin-int-list.inc.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.3.24. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. El plugin de WordPress Contact Form Email es vulnerable a un ataque de tipo Cross-Site Scripting Almacenado, debido a una comprobación de entrada insuficiente y al escape por medio del parámetro name encontrado en el archivo ~/trunk/cp-admin-int-list.inc.php que permitía a atacantes con un usuario administrativo acceso para inyectar scripts web arbitrarios, en versiones hasta la 1.3.24 incluyéndola. Esto afecta a las instalaciones de varios sitios donde unfiltered_html está inhabilitado para los administradores y a los sitios donde unfiltered_html está inhabilitado • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2628041%40contact-form-to-email&new=2628041%40contact-form-to-email&sfp_email=&sfph_mail= https://www.wordfence.com/vulnerability-advisories/#CVE-2021-42361 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-20964 – Contact Form Email <= 1.2.65 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2018-20964
The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF. El complemento contact-form-to-email anterior de 1.2.66 para WordPress tiene CSRF. • https://wordpress.org/plugins/contact-form-to-email/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •