A critical Cross-Site Scripting (XSS) vulnerability has been identified in the Contact Form Builder, Contact Widget plugin. This vulnerability could allow a malicious actor to inject malicious scripts into the website, which could then be executed by visitors to the affected site.
LEE SE HYOUNG (hackintoanetwork) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Contact Form Builder, Contact Widget Plugin.
The vulnerability is caused by a flaw in the way the Contact Form Builder, Contact Widget plugin handles user input. This flaw allows a malicious actor to inject arbitrary code into the website’s output, which can then be executed by visitors to the site.
Severity
High
The severity of this vulnerability is significant, with a CVSS 3.1 score of 7.1. This score underscores the substantial risk it poses to the website’s security.
Affected Versions
At present, there is no available patched version to resolve this vulnerability.
Impact
If a malicious actor is able to exploit this vulnerability, they could inject malicious scripts into the website. These scripts could then be executed by visitors to site, which could lead to a variety of problems, such as:
- Redirecting visitors to malicious websites
- Injecting advertisements into your website
- Stealing cookies or other sensitive information from visitors
Recommendation
- Stay Informed: Maintain vigilance for updates and announcements from the plugin developer regarding this vulnerability. Once a patch or update becomes available, apply it without delay.
- Routine Updates: Ensure that all WordPress plugins, themes, and the WordPress core are kept up-to-date to mitigate known vulnerabilities.
- Enhanced Security Measures: Consider implementing additional security measures such as web application firewalls (WAFs), security plugins, and periodic security audits to fortify the website’s defenses.
- Temporary Deactivation: Disable the Contact Form Builder, and Contact Widget plugin until a patched version is available.