Contact Form to Email Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WordPress plugin Contact Form to Email, version 1.3.24. This vulnerability allows authenticated attackers to inject malicious scripts by including script tags in the form name field. The injected JavaScript executes when other logged-in users access the form management page, potentially leading to session hijacking or credential theft.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the form management page.

Reproduction

To reproduce this vulnerability, log into WordPress and navigate to the Contact Form to Email plugin. Create a new form and enter a name that includes a script tag with JavaScript code, such as an alert. Once the form is published, the injected script will execute when the form management page is accessed by another logged-in user.