Vulnerability CVE-2018-20963


Published: 2019-08-13

Description:
The contact-form-to-email plugin before 1.2.66 for WordPress has XSS.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: Codepeople
Product: Contact form email 
Version:
1.2.65
1.2.64
1.2.63
1.2.62
1.2.61
1.2.60
1.2.59
1.2.58
1.2.57
1.2.56
1.2.55
1.2.54
1.2.53
1.2.52
1.2.51
1.2.50
1.2.49
1.2.48
1.2.47
1.2.46
1.2.45
1.2.44
1.2.43
1.2.42
1.2.41
1.2.40
1.2.39
1.2.38
1.2.37
1.2.36
1.2.34
1.2.33
1.2.32
1.2.31
1.2.30
1.2.29
1.2.28
1.2.27
1.2.26
1.2.25
1.2.24
1.2.23
1.2.22
1.2.21
1.2.20
1.2.19
1.2.18
1.2.17
1.2.16
1.2.15
1.2.14
1.2.12
1.2.11
1.2.10
1.2.09
1.2.08
1.2.07
1.2.06
1.2.05
1.1.99
1.1.98
1.1.97
1.1.96
1.1.95
1.1.94
1.1.93
1.1.92
1.1.91
1.1.90
1.1.9
1.1.89
1.1.88
1.1.87
1.1.86
1.1.85
1.1.84
1.1.83
1.1.82
1.1.81
1.1.80
1.1.8
1.1.79
1.1.78
1.1.77
1.1.76
1.1.75
1.1.74
1.1.73
1.1.72
1.1.71
1.1.70
1.1.7
1.1.69
1.1.68
1.1.67
1.1.66
1.1.65
1.1.64
1.1.63
1.1.62
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
https://wordpress.org/plugins/contact-form-to-email/#developers

Related CVE
CVE-2016-10909
The booking-calendar-contact-form plugin before 1.0.24 for WordPress has SQL injection.
CVE-2016-10908
The booking-calendar-contact-form plugin before 1.0.24 for WordPress has XSS.
CVE-2019-14784
The "CP Contact Form with PayPal" plugin before 1.2.98 for WordPress has XSS in CSS edition.
CVE-2018-20964
The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF.
CVE-2019-14791
The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea parameter.
CVE-2019-14785
The "CP Contact Form with PayPal" plugin before 1.2.99 for WordPress has XSS in the publishing wizard via the wp-admin/admin.php?page=cp_contact_form_paypal.php&pwizard=1 cp_contactformpp_id parameter.
CVE-2015-7666
Multiple cross-site scripting (XSS) vulnerabilities in the (1) cp_updateMessageItem and (2) cp_deleteMessageItem functions in cp_ppp_admin_int_message_list.inc.php in the Payment Form for PayPal Pro plugin before 1.0.2 for WordPress allow remote atta...
CVE-2015-7320
Multiple cross-site scripting (XSS) vulnerabilities in cpabc_appointments_admin_int_bookings_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecif...

Copyright 2019, cxsecurity.com

 

Back to Top