Security Advisory

CVE-2023-0546

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2023-04-10 13:18:07

Last updated 2025-02-11 21:04:47

Assigner WPScan

State PUBLISHED

Description

The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in its custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form.

← Browse all CVEs View on cve.org ↗