Really Simple Security logo

Log out
Get PRO

Black Friday Deals 40% OFF

Days
Hours
Minutes

USE CODE: BF2025

Latest

Input validation vulnerability in Contact Form Email 1.3.12

  • Severity: high-risk
  • Status: Fixed
  • Publication: May 13, 2015

The Contact Form Email plugin for WordPress is a tool that is vulnerable to a type of attack called Cross-Site Request Forgery in versions up to and including 1.3.11. This means that someone who is not authenticated (not logged in) can modify the settings of the plugin and inject malicious JavaScript into the website. This can be done if the attacker can get a website administrator to click on a link they sent. The vulnerability is due to the lack of nonce validation on the ‘cp_cfte_rep_enable’ action. For versions lower than or equal to 1.1.4, the malicious JavaScript can be injected via the ‘cp_cfte_rep_message’ parameter.

Detected in:

Contact Form Email fixed vulnerable versions: >= * < 1.3.12

This information is sourced from www.wpvulnerability.com. An open-source database of vulnerabilities maintained by the community. Help us out by submitting vulnerabilities!

Version compare shows which versions have a vulnerability. For example: >= 2.2.8 <= 2.2.21 means:

> from 2.2.8
= including 2.2.8 & 2.2.21
< to 2.2.21

  • Incorrect?

Is this information incorrect? Please leave us a message.