Vulnerability Name:

CVE-2022-25601 (CCN-221649)

Assigned:2022-02-25
Published:2022-02-25
Updated:2022-04-19
Summary:Reflected Cross-Site Scripting (XSS) vulnerability affecting parameter &tab discovered in Contact Form X WordPress plugin (versions <= 2.4).
CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
4.7 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
4.1 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2022-25601

Source: XF
Type: UNKNOWN
wp-contactformx-cve202225601-xss(221649)

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-956b6078fb

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-706aac2786

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-4b3079c1be

Source: CCN
Type: Patchstack Web site
Reflected Cross-Site Scripting (XSS) vulnerability discovered by Ex.Mi (Patchstack) in WordPress Contact Form X plugin (versions <= 2.4)

Source: CONFIRM
Type: Third Party Advisory
https://patchstack.com/database/vulnerability/contact-form-x/wordpress-contact-form-x-plugin-2-4-authenticated-reflected-cross-site-scripting-xss-vulnerability

Source: CCN
Type: WordPress Plugin Directory
Contact Form X | WordPress

Source: CONFIRM
Type: Release Notes, Third Party Advisory
https://wordpress.org/plugins/contact-form-x/#developers

Vulnerable Configuration:Configuration 1:
  • cpe:/a:plugin-planet:contact_form_x:*:*:*:*:*:wordpress:*:* (Version < 2.4.1)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:36:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:wordpress:wordpress:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    plugin-planet contact form x *
    fedoraproject fedora 34
    fedoraproject fedora 35
    fedoraproject fedora 36
    wordpress wordpress -