Vulnerability Details CVE-2021-25080
The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry
Exploit prediction scoring system (EPSS) score
EPSS Score 0.516
EPSS Ranking 97.8%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
Products affected by CVE-2021-25080
-
cpe:2.3:a:crmperks:contact_form_entries:*