CVE-2021-24907Cross-site Scripting in Everest Forms

CWE-79Cross-site Scripting3 documents3 sources
Severity
6.1MEDIUMNVD
EPSS
0.5%
top 35.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wpeverest Everest Forms
Timeline
PublishedDec 21
Latest updateDec 22

Description

The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-cg8f-cgq8-xchm: The Contact Form, Drag and Drop Form Builder for WordPress plugin before 12021-12-22
CVEList
Everest Forms < 1.8.0 - Reflected Cross-Site Scripting2021-12-21
CVE-2021-24907 — Cross-site Scripting in Everest Forms | cvebase