CVE-2019-25145

Contact Form & SMTP Plugin by PirateForms <= 2.5.1 - Unauthenticated HTML injection

CVSS 7.2 HIGHEPSS 0.7%CWE-79

In short

An unprotected contact form plugin allows attackers to inject malicious HTML code into emails without needing to log in. This could be used to trick users into clicking harmful links or revealing sensitive information.

Technical detail

The PirateForms plugin up to version 2.5.1 fails to sanitize and escape user input in the email handling function (public/class-pirateforms-public.php), allowing unauthenticated HTML injection. Attackers can craft form submissions containing arbitrary HTML that gets embedded in outgoing emails, enabling phishing attacks against recipients.

Summary generated and translated by AI from the official description.

The Contact Form & SMTP Plugin by PirateForms plugin for WordPress is vulnerable to HTML injection in the ‘public/class-pirateforms-public.php’ file in versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary HTML in emails that could be used to phish unsuspecting victims.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Affected products

smub · Contact Form & SMTP Plugin for WordPress by PirateForms

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://blog.nintechnet.com/html-injection-vulnerability-in-wordpress-pirate-forms-plugin/https://www.wordfence.com/threat-intel/vulnerabilities/id/9e34c3f6-cc84-4e45-9948-6f7fd5cba8cd?source=cve