CVE-2021-24247

Public Exploit

Contact Form Check Tester <= 1.0.2 - Broken Access Control to Cross-Site Scripting (XSS)

Description

The Contact Form Check Tester WordPress plugin through 1.0.2 settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege escalation. The vendor decided to close the plugin.

References

Link	Tags
https://wpscan.com/vulnerability/e2990a7a-d4f0-424e-b01d-ecf67cf9c9f3	third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2021-24247?: CVE-2021-24247 has been scored as a medium severity vulnerability.
How to fix CVE-2021-24247?: To fix CVE-2021-24247, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-24247 being actively exploited in the wild?: It is possible that CVE-2021-24247 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-24247?: CVE-2021-24247 affects MooveAgency Contact Form Check Tester.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Category

CWE-79 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

References

Frequently Asked Questions