Vulnerability CVE-2018-20964

Vulnerability CVE-2018-20964

Published: 2019-08-13

Description:

The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF.

Type:

CWE-352

(Cross-Site Request Forgery (CSRF))

Vendor: Codepeople

Product: Contact form email

Version:

1.2.65
1.2.64
1.2.63
1.2.62
1.2.61
1.2.60
1.2.59
1.2.58
1.2.57
1.2.56
1.2.55
1.2.54
1.2.53
1.2.52
1.2.51
1.2.50
1.2.49
1.2.48
1.2.47
1.2.46
1.2.45
1.2.44
1.2.43
1.2.42
1.2.41

1.2.40
1.2.39
1.2.38
1.2.37
1.2.36
1.2.34
1.2.33
1.2.32
1.2.31
1.2.30
1.2.29
1.2.28
1.2.27
1.2.26
1.2.25
1.2.24
1.2.23
1.2.22
1.2.21
1.2.20
1.2.19
1.2.18
1.2.17
1.2.16
1.2.15

1.2.14
1.2.12
1.2.11
1.2.10
1.2.09
1.2.08
1.2.07
1.2.06
1.2.05
1.1.99
1.1.98
1.1.97
1.1.96
1.1.95
1.1.94
1.1.93
1.1.92
1.1.91
1.1.90
1.1.9
1.1.89
1.1.88
1.1.87
1.1.86
1.1.85

1.1.84
1.1.83
1.1.82
1.1.81
1.1.80
1.1.8
1.1.79
1.1.78
1.1.77
1.1.76
1.1.75
1.1.74
1.1.73
1.1.72
1.1.71
1.1.70
1.1.7
1.1.69
1.1.68
1.1.67
1.1.66
1.1.65
1.1.64
1.1.63
1.1.62

See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
6.8/10	6.4/10	8.6/10

Exploit range	Attack complexity	Authentication
Remote	Medium	No required
Confidentiality impact	Integrity impact	Availability impact
Partial	Partial	Partial

References:

https://wordpress.org/plugins/contact-form-to-email/#developers

	Related CVE
CVE-2016-10992	The music-store plugin before 1.0.43 for WordPress has XSS via the wp-admin/admin.php?page=music-store-menu-reports from_year parameter.
CVE-2015-9348	The sell-downloads plugin before 1.0.8 for WordPress has insufficient restrictions on brute-force guessing of purchase IDs.
CVE-2015-9346	The cp-polls plugin before 1.0.5 for WordPress has XSS.
CVE-2016-10916	The appointment-booking-calendar plugin before 1.1.24 for WordPress has SQL injection, a different vulnerability than CVE-2015-7319.
CVE-2016-10909	The booking-calendar-contact-form plugin before 1.0.24 for WordPress has SQL injection.
CVE-2016-10908	The booking-calendar-contact-form plugin before 1.0.24 for WordPress has XSS.
CVE-2019-14784	The "CP Contact Form with PayPal" plugin before 1.2.98 for WordPress has XSS in CSS edition.
CVE-2018-20963	The contact-form-to-email plugin before 1.2.66 for WordPress has XSS.

Vulnerability CVE-2018-20964

The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF.

CWE-352

Vendor: Codepeople

Product: Contact form email

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

6.8/10

6.4/10

8.6/10

Remote

Medium

No required

Partial

Partial

Partial

References:

Related CVE