CVE-2021-24247

Contact Form Check Tester <= 1.0.2 - Broken Access Control to Cross-Site Scripting (XSS)

EPSS 4.7%CWE-79

Vexday Risk Score

23Low

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS —EPSS 4.7%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

05 May 2021Published on NVD

02 Feb 2022Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

The Contact Form Check Tester WordPress plugin through 1.0.2 settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege escalation. The vendor decided to close the plugin.

Affected products

MooveAgency · Contact Form Check Tester

public PoCs found — 1

exploitdbwww.exploit-db.com/exploits/50703unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/e2990a7a-d4f0-424e-b01d-ecf67cf9c9f3