CVE-2021-24247 - Vulnerability Details - OpenCVE

The Contact Form Check Tester WordPress plugin through 1.0.2 settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege escalation. The vendor decided to close the plugin.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00341.

Key SSVC decision points have not yet been added.

Vendors	Products
Mooveagency	Contact Form Check Tester

Configuration 1 [-]

cpe:2.3:a:mooveagency:contact_form_check_tester:*:*:*:*:*:wordpress:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://wpscan.com/vulnerability/e2990a7a-d4f0-424e-b01d-ecf67cf9c9f3

History

No history.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2021-05-05T18:39:43

Updated: 2024-08-03T19:21:18.930Z

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-24247

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-05-06T13:15:11.600

Modified: 2024-11-21T05:52:40.910

Link: CVE-2021-24247

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Contact Form Check Tester", "vendor": "MooveAgency", "versions": [{"lessThanOrEqual": "1.0.2", "status": "affected", "version": "1.0.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "0xB9"}], "descriptions": [{"lang": "en", "value": "The Contact Form Check Tester WordPress plugin through 1.0.2 settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege escalation. The vendor decided to close the plugin."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-05T18:39:43", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://wpscan.com/vulnerability/e2990a7a-d4f0-424e-b01d-ecf67cf9c9f3"}], "source": {"discovery": "UNKNOWN"}, "title": "Contact Form Check Tester <= 1.0.2 - Broken Access Control to Cross-Site Scripting (XSS)", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24247", "STATE": "PUBLIC", "TITLE": "Contact Form Check Tester <= 1.0.2 - Broken Access Control to Cross-Site Scripting (XSS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Contact Form Check Tester", "version": {"version_data": [{"version_affected": "<=", "version_name": "1.0.2", "version_value": "1.0.2"}]}}]}, "vendor_name": "MooveAgency"}]}}, "credit": [{"lang": "eng", "value": "0xB9"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Contact Form Check Tester WordPress plugin through 1.0.2 settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege escalation. The vendor decided to close the plugin."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/e2990a7a-d4f0-424e-b01d-ecf67cf9c9f3", "refsource": "CONFIRM", "url": "https://wpscan.com/vulnerability/e2990a7a-d4f0-424e-b01d-ecf67cf9c9f3"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:21:18.930Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wpscan.com/vulnerability/e2990a7a-d4f0-424e-b01d-ecf67cf9c9f3"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24247", "datePublished": "2021-05-05T18:39:43", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2024-08-03T19:21:18.930Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mooveagency:contact_form_check_tester:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A4420B59-71C6-49AC-8522-B86B27F41EFF", "versionEndIncluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Contact Form Check Tester WordPress plugin through 1.0.2 settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege escalation. The vendor decided to close the plugin."}, {"lang": "es", "value": "La configuraci\u00f3n del plugin Contact Form Check Tester WordPress versiones hasta 1.0.2, es visible para todos los usuarios registrados en el tablero y carece de saneamiento. Como resultado, cualquier usuario registrado, como el suscriptor, puede dejar una carga \u00fatil XSS en la configuraci\u00f3n del plugin, que ser\u00e1 activada por cualquier usuario que los visite y podr\u00eda permitir una escalada de privilegios. El proveedor decidi\u00f3 cerrar el plugin"}], "id": "CVE-2021-24247", "lastModified": "2024-11-21T05:52:40.910", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-06T13:15:11.600", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/e2990a7a-d4f0-424e-b01d-ecf67cf9c9f3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/e2990a7a-d4f0-424e-b01d-ecf67cf9c9f3"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "contact@wpscan.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Secondary"}]}