CVE-2021-24907

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-24907

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-24907.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-24907

Published

2021-12-21T09:15:07.140Z

Modified

2026-04-10T04:30:54.850075Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

References

https://wpscan.com/vulnerability/56dae1ae-d5d2-45d3-8991-db69cc47ddb7

Affected packages

Git / github.com/wpeverest/everest-forms

Affected ranges

Type

GIT

Repo

https://github.com/wpeverest/everest-forms

Events

Introduced

Fixed

6612f9c83b8542b0f4468a2894d95c38e2595c51

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.8.0"
        }
    ]
}

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.1.0

1.1.0-rc.1

1.1.3

1.1.4

1.2.0

1.2.0-rc.1

1.3.0

1.3.2

1.3.4

1.4.0

1.4.0-beta

1.4.0-beta2

1.4.0-beta3

1.4.0-beta4

1.4.0-beta5

1.4.0-beta6

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.8

1.4.9

1.5.0

1.5.1

1.5.10

1.5.2

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.6.1

1.6.7

1.7.0

1.7.0.1

1.7.0.2

1.7.0.3

1.7.1

1.7.2

1.7.2.1

1.7.2.2

1.7.3

1.7.4

1.7.5

1.7.5.1

1.7.5.2

1.7.6

1.7.7

1.7.7.1

1.7.7.2

1.7.8

1.7.9

v1.*

v1.4.0-beta

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-24907.json"