CVE-2024-2242

🗓️ 13 Mar 2024 21:32:56Reported by WordfenceType

cve🔗 web.nvd.nist.gov👁 223 Views🌐 WEB

The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to 5.9

Reporter	Title	Published	Views	Family All 14
GithubExploit	Exploit for Cross-site Scripting in Rocklobster Contact_Form_7	15 Nov 202407:32	–	githubexploit
Circl	CVE-2024-2242	13 Mar 202423:26	–	circl
CNNVD	WordPress Plugin Contact Form Security Vulnerability	13 Mar 202400:00	–	cnnvd
Cvelist	CVE-2024-2242 Contact Form 7 <= 5.9 - Reflected Cross-Site Scripting	13 Mar 202421:32	–	cvelist
NVD	CVE-2024-2242	13 Mar 202422:15	–	nvd
Patchstack	WordPress Contact Form 7 Plugin <= 5.9 is vulnerable to Cross Site Scripting (XSS)	13 Mar 202400:00	–	patchstack
Prion	Cross site scripting	13 Mar 202422:15	–	prion
Positive Technologies	PT-2024-19410 · WordPress · Contact Form 7	13 Mar 202400:00	–	ptsecurity
RedhatCVE	CVE-2024-2242	7 Jan 202609:13	–	redhatcve
Vulnrichment	CVE-2024-2242 Contact Form 7 <= 5.9 - Reflected Cross-Site Scripting	13 Mar 202421:32	–	vulnrichment

NVD

Vulners

Node

rocklobster contact_form_7Range<5.9.2wordpress

[
  {
    "vendor": "rocklobsterinc",
    "product": "Contact Form 7",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "5.9",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/d5bf4972-424a-4470-a0bc-7dcc95378e0e
plugins	www.plugins.trac.wordpress.org/changeset/3049594/contact-form-7/trunk/admin/edit-contact-form.php

Parameter	Position	Path	Description	CWE
active-tab	query param	/wp-admin/admin.php?page=wpcf7&post=$FORMID&active-tab=1%22%3E%3Csvg%2Fonload%3Dalert%281%29%2F%2F%3E	Reflected XSS via active-tab parameter in the URL (unsanitized input echoed in page)	CWE-79

08 Apr 2026 19:21Current

6.5Medium risk

Vulners AI Score6.5

CVSS 3.16.1

EPSS0.68479

SSVC

CWE-79