CVE-2024-2242
published 2024-03-13CVE-2024-2242: The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and including…
PriorityP422medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.30%
66.9th percentile
The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rocklobster | contact_form_7 | < 5.9.2 | 5.9.2 |
| rocklobsterinc | contact_form_7 | <= 5.9 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Contact Form 7 Plugin up to 5.9 on WordPress cross site scripting (ID 3049594)
vuldb·2026-04-13·CVSS 6.1
CVE-2024-2242 [MEDIUM] Contact Form 7 Plugin up to 5.9 on WordPress cross site scripting (ID 3049594)
A vulnerability identified as problematic has been detected in Contact Form 7 Plugin up to 5.9 on WordPress. This vulnerability affects unknown code. This manipulation causes cross site scripting.
The identification of this vulnerability is CVE-2024-2242. It is possible to initiate the attack remotely. There is no exploit available.
GHSA
GHSA-4844-58hp-rqwx: The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and incl
ghsa_unreviewed·2024-03-14
CVE-2024-2242 [MEDIUM] CWE-79 GHSA-4844-58hp-rqwx: The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and incl
The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Suricata
GPL FTP MKD overflow
suricata·2010-09-23
CVE-1999-0368 GPL FTP MKD overflow
GPL FTP MKD overflow
Rule: alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MKD overflow"; flow:established,to_server; content:"MKD "; isdataat:100,relative; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:2100349; rev:14; metadata:created_at 2010_09_23, cve CVE_1999_0368, signature_severity Unknown, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset/3049594/contact-form-7/trunk/admin/edit-contact-form.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/d5bf4972-424a-4470-a0bc-7dcc95378e0e?source=cvehttps://plugins.trac.wordpress.org/changeset/3049594/contact-form-7/trunk/admin/edit-contact-form.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/d5bf4972-424a-4470-a0bc-7dcc95378e0e?source=cve
2024-03-13
Published