"TITLE":"Contact Form Entries < 1.1.7 - Unauthenticated Stored Cross-Site Scripting"
},
"data_format":"MITRE",
"data_type":"CVE",
"data_version":"4.0",
"generator":"WPScan CVE Generator",
"affects":{
"vendor":{
"vendor_data":[
{
"vendor_name":"Unknown",
"product":{
"product_data":[
{
"product_name":"Contact Form Entries – Contact Form 7, WPforms and more",
"version":{
"version_data":[
{
"version_affected":"<",
"version_name":"1.1.7",
"version_value":"1.1.7"
}
]
}
}
]
}
}
]
}
},
"description":{
"description_data":[
{
"lang":"eng",
"value":"The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry"
