Vulnerability Details CVE-2021-24134
Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user (Editor+) to inject arbitrary JavaScript code or HTML in posts where the malicious form is embed.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 40.8%
CVSS Severity
CVSS v3 Score 4.8
CVSS v2 Score 3.5
References
Products affected by CVE-2021-24134
-
cpe:2.3:a:constantcontact:constant_contact_forms:1.8.0
-
cpe:2.3:a:constantcontact:constant_contact_forms:1.8.1
-
cpe:2.3:a:constantcontact:constant_contact_forms:1.8.2
-
cpe:2.3:a:constantcontact:constant_contact_forms:1.8.3
-
cpe:2.3:a:constantcontact:constant_contact_forms:1.8.4
-
cpe:2.3:a:constantcontact:constant_contact_forms:1.8.5
-
cpe:2.3:a:constantcontact:constant_contact_forms:1.8.6
-
cpe:2.3:a:constantcontact:constant_contact_forms:1.8.7