The Contact Form Entries WordPress plugin prior to 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated malicious users to perform Cross-Site Scripting attacks against logged in admins viewing the created entry
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
crmperks contact form entries |