CVE-2024-2295 | Vulnerability Database

NVD	https://nvd.nist.gov/vuln/detail/CVE-2024-2295
CWE	https://cwe.mitre.org/data/definitions/.html

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-2295

CWE

https://cwe.mitre.org/data/definitions/.html

The Contact Form Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins [xyz-cfm-form] shortcode in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

References

https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3095454%40contact-form-manager\u0026new=3095454%40contact-form-manager\u0026sfp_email=\u0026sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/1cda411b-b277-4b4d-9087-dadede4b67dd?source=cve