Vulnerability CVE-2018-20964


Published: 2019-08-13

Description:
The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF.

Type:

CWE-352

(Cross-Site Request Forgery (CSRF))

Vendor: Codepeople
Product: Contact form email 
Version:
1.2.65
1.2.64
1.2.63
1.2.62
1.2.61
1.2.60
1.2.59
1.2.58
1.2.57
1.2.56
1.2.55
1.2.54
1.2.53
1.2.52
1.2.51
1.2.50
1.2.49
1.2.48
1.2.47
1.2.46
1.2.45
1.2.44
1.2.43
1.2.42
1.2.41
1.2.40
1.2.39
1.2.38
1.2.37
1.2.36
1.2.34
1.2.33
1.2.32
1.2.31
1.2.30
1.2.29
1.2.28
1.2.27
1.2.26
1.2.25
1.2.24
1.2.23
1.2.22
1.2.21
1.2.20
1.2.19
1.2.18
1.2.17
1.2.16
1.2.15
1.2.14
1.2.12
1.2.11
1.2.10
1.2.09
1.2.08
1.2.07
1.2.06
1.2.05
1.1.99
1.1.98
1.1.97
1.1.96
1.1.95
1.1.94
1.1.93
1.1.92
1.1.91
1.1.90
1.1.9
1.1.89
1.1.88
1.1.87
1.1.86
1.1.85
1.1.84
1.1.83
1.1.82
1.1.81
1.1.80
1.1.8
1.1.79
1.1.78
1.1.77
1.1.76
1.1.75
1.1.74
1.1.73
1.1.72
1.1.71
1.1.70
1.1.7
1.1.69
1.1.68
1.1.67
1.1.66
1.1.65
1.1.64
1.1.63
1.1.62
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
https://wordpress.org/plugins/contact-form-to-email/#developers

Related CVE
CVE-2016-10992
The music-store plugin before 1.0.43 for WordPress has XSS via the wp-admin/admin.php?page=music-store-menu-reports from_year parameter.
CVE-2015-9348
The sell-downloads plugin before 1.0.8 for WordPress has insufficient restrictions on brute-force guessing of purchase IDs.
CVE-2015-9346
The cp-polls plugin before 1.0.5 for WordPress has XSS.
CVE-2016-10916
The appointment-booking-calendar plugin before 1.1.24 for WordPress has SQL injection, a different vulnerability than CVE-2015-7319.
CVE-2016-10909
The booking-calendar-contact-form plugin before 1.0.24 for WordPress has SQL injection.
CVE-2016-10908
The booking-calendar-contact-form plugin before 1.0.24 for WordPress has XSS.
CVE-2019-14784
The "CP Contact Form with PayPal" plugin before 1.2.98 for WordPress has XSS in CSS edition.
CVE-2018-20963
The contact-form-to-email plugin before 1.2.66 for WordPress has XSS.

Copyright 2019, cxsecurity.com

 

Back to Top