CVE-2024-10683

Published Nov 9, 2024

Last updated 5 days ago

CVSS medium 6.1

Overview

Description
The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.3.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is only exploitable when the leave a review notice is present in the dashboard.
Source
security@wordfence.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Primary
Base score
6.1
Impact score
2.7
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

security@wordfence.com
CWE-79

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2024-10683 (Published: 2024-11-09) - A high-severity vulnerability in WePlugin LLC affects multiple versions. Users are urged to update to the latest version immediately to mitigate risks. Stay secure! 🔒 For more details, visit: https://t.co/TA6vLuzTGz #CyberSecurity… htt

    @transilienceai

    13 Nov 2024

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🔒 CVE-2024-10683 (Published: 2024-11-09) - A high-severity vulnerability in WePlugin LLC affects multiple versions. Users are urged to update to the latest version to mitigate risks. For detailed changes, check: https://t.co/TA6vLuzTGz #CyberSecurity #WordPress… https://t.co/adR

    @transilienceai

    13 Nov 2024

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 CVE-2024-10683 (Published: 2024-11-09) - High severity vulnerability in the WordPress Plugin "Contact Form 7 PayPal Add-On" (versions affected: 2.3.1). Remediation is crucial! Update to the latest version to secure your site. More info: https://t.co/FiIdLhLCek #WordPress… http

    @transilienceai

    13 Nov 2024

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2024-10683 The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg wi… https://t.co/Uk8tV5f1OF

    @CVEnew

    9 Nov 2024

    335 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References