Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: WPScan
Published: 2021-04-05T18:27:43
Updated: 2024-08-03T19:21:18.633Z
Reserved: 2021-01-14T00:00:00
Link: CVE-2021-24159
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-04-05T19:15:15.047
Modified: 2024-11-21T05:52:29.540
Link: CVE-2021-24159
Redhat
No data.