CVE-2021-36885 - Vulnerability Details - OpenCVE

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in Contact Form 7 Database Addon – CFDB7 WordPress plugin (versions <= 1.2.6.1).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Ciphercoin	Contact Form 7 Database Addon

Configuration 1 [-]

cpe:2.3:a:ciphercoin:contact_form_7_database_addon:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://patchstack.com/database/vulnerability/contact-form-cfdb7/wordpress-contact-form-7-database-addon-cfdb7-plugin-1-2-6-1-unauthenticated-stored-cross-site-scripting-xss-vulnerability
https://wordpress.org/plugins/contact-form-cfdb7/#developers

History

Fri, 28 Mar 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2021-12-22T18:06:38.778Z

Updated: 2025-03-28T16:15:27.343Z

Reserved: 2021-07-19T00:00:00.000Z

Link: CVE-2021-36885

Vulnrichment

Updated: 2024-08-04T01:01:59.768Z

NVD

Status : Modified

Published: 2021-12-22T19:15:11.263

Modified: 2024-11-21T06:14:15.007

Link: CVE-2021-36885

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Contact Form 7 Database Addon \u2013 CFDB7 (WordPress plugin)", "vendor": "CipherCoin", "versions": [{"lessThanOrEqual": "1.2.6.1", "status": "affected", "version": "<= 1.2.6.1", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Vulnerability discovered by Ex.Mi (Patchstack)."}], "datePublic": "2021-11-12T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in Contact Form 7 Database Addon \u2013 CFDB7 WordPress plugin (versions <= 1.2.6.1)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-22T18:06:38.000Z", "orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://wordpress.org/plugins/contact-form-cfdb7/#developers"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://patchstack.com/database/vulnerability/contact-form-cfdb7/wordpress-contact-form-7-database-addon-cfdb7-plugin-1-2-6-1-unauthenticated-stored-cross-site-scripting-xss-vulnerability"}], "solutions": [{"lang": "en", "value": "Update to 1.2.6.2 or higher version."}], "source": {"discovery": "EXTERNAL"}, "title": "WordPress Contact Form 7 Database Addon \u2013 CFDB7 plugin <= 1.2.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "audit@patchstack.com", "DATE_PUBLIC": "2021-11-12T19:50:00.000Z", "ID": "CVE-2021-36885", "STATE": "PUBLIC", "TITLE": "WordPress Contact Form 7 Database Addon \u2013 CFDB7 plugin <= 1.2.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Contact Form 7 Database Addon \u2013 CFDB7 (WordPress plugin)", "version": {"version_data": [{"version_affected": "<=", "version_name": "<= 1.2.6.1", "version_value": "1.2.6.1"}]}}]}, "vendor_name": "CipherCoin"}]}}, "credit": [{"lang": "eng", "value": "Vulnerability discovered by Ex.Mi (Patchstack)."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in Contact Form 7 Database Addon \u2013 CFDB7 WordPress plugin (versions <= 1.2.6.1)."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://wordpress.org/plugins/contact-form-cfdb7/#developers", "refsource": "CONFIRM", "url": "https://wordpress.org/plugins/contact-form-cfdb7/#developers"}, {"name": "https://patchstack.com/database/vulnerability/contact-form-cfdb7/wordpress-contact-form-7-database-addon-cfdb7-plugin-1-2-6-1-unauthenticated-stored-cross-site-scripting-xss-vulnerability", "refsource": "CONFIRM", "url": "https://patchstack.com/database/vulnerability/contact-form-cfdb7/wordpress-contact-form-7-database-addon-cfdb7-plugin-1-2-6-1-unauthenticated-stored-cross-site-scripting-xss-vulnerability"}]}, "solution": [{"lang": "en", "value": "Update to 1.2.6.2 or higher version."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:01:59.768Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wordpress.org/plugins/contact-form-cfdb7/#developers"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://patchstack.com/database/vulnerability/contact-form-cfdb7/wordpress-contact-form-7-database-addon-cfdb7-plugin-1-2-6-1-unauthenticated-stored-cross-site-scripting-xss-vulnerability"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-28T16:15:22.364283Z", "id": "CVE-2021-36885", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-28T16:15:27.343Z"}}]}, "cveMetadata": {"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "assignerShortName": "Patchstack", "cveId": "CVE-2021-36885", "datePublished": "2021-12-22T18:06:38.778Z", "dateReserved": "2021-07-19T00:00:00.000Z", "dateUpdated": "2025-03-28T16:15:27.343Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://wordpress.org/plugins/contact-form-cfdb7/#developers", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://patchstack.com/database/vulnerability/contact-form-cfdb7/wordpress-contact-form-7-database-addon-cfdb7-plugin-1-2-6-1-unauthenticated-stored-cross-site-scripting-xss-vulnerability", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:01:59.768Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-36885", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-28T16:15:22.364283Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-28T16:15:19.100Z"}}], "cna": {"title": "WordPress Contact Form 7 Database Addon \u2013 CFDB7 plugin <= 1.2.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Vulnerability discovered by Ex.Mi (Patchstack)."}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "CipherCoin", "product": "Contact Form 7 Database Addon \u2013 CFDB7 (WordPress plugin)", "versions": [{"status": "affected", "version": "<= 1.2.6.1", "versionType": "custom", "lessThanOrEqual": "1.2.6.1"}]}], "solutions": [{"lang": "en", "value": "Update to 1.2.6.2 or higher version."}], "datePublic": "2021-11-12T00:00:00.000Z", "references": [{"url": "https://wordpress.org/plugins/contact-form-cfdb7/#developers", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://patchstack.com/database/vulnerability/contact-form-cfdb7/wordpress-contact-form-7-database-addon-cfdb7-plugin-1-2-6-1-unauthenticated-stored-cross-site-scripting-xss-vulnerability", "tags": ["x_refsource_CONFIRM"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in Contact Form 7 Database Addon \u2013 CFDB7 WordPress plugin (versions <= 1.2.6.1)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2021-12-22T18:06:38.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Vulnerability discovered by Ex.Mi (Patchstack)."}], "impact": {"cvss": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, "source": {"discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "<= 1.2.6.1", "version_value": "1.2.6.1", "version_affected": "<="}]}, "product_name": "Contact Form 7 Database Addon \u2013 CFDB7 (WordPress plugin)"}]}, "vendor_name": "CipherCoin"}]}}, "solution": [{"lang": "en", "value": "Update to 1.2.6.2 or higher version."}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://wordpress.org/plugins/contact-form-cfdb7/#developers", "name": "https://wordpress.org/plugins/contact-form-cfdb7/#developers", "refsource": "CONFIRM"}, {"url": "https://patchstack.com/database/vulnerability/contact-form-cfdb7/wordpress-contact-form-7-database-addon-cfdb7-plugin-1-2-6-1-unauthenticated-stored-cross-site-scripting-xss-vulnerability", "name": "https://patchstack.com/database/vulnerability/contact-form-cfdb7/wordpress-contact-form-7-database-addon-cfdb7-plugin-1-2-6-1-unauthenticated-stored-cross-site-scripting-xss-vulnerability", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in Contact Form 7 Database Addon \u2013 CFDB7 WordPress plugin (versions <= 1.2.6.1)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-36885", "STATE": "PUBLIC", "TITLE": "WordPress Contact Form 7 Database Addon \u2013 CFDB7 plugin <= 1.2.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability", "ASSIGNER": "audit@patchstack.com", "DATE_PUBLIC": "2021-11-12T19:50:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2021-36885", "state": "PUBLISHED", "dateUpdated": "2025-03-28T16:15:27.343Z", "dateReserved": "2021-07-19T00:00:00.000Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2021-12-22T18:06:38.778Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ciphercoin:contact_form_7_database_addon:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F5D8E28B-AED4-4FB6-A54A-D3684C4C41F1", "versionEndIncluding": "1.2.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in Contact Form 7 Database Addon \u2013 CFDB7 WordPress plugin (versions <= 1.2.6.1)."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenado sin autenticaci\u00f3n en el plugin Contact Form 7 Database Addon \u2013 CFDB7 de WordPress (versiones anteriores a 1.2.6.1 incluy\u00e9ndola)"}], "id": "CVE-2021-36885", "lastModified": "2024-11-21T06:14:15.007", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-22T19:15:11.263", "references": [{"source": "audit@patchstack.com", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/contact-form-cfdb7/wordpress-contact-form-7-database-addon-cfdb7-plugin-1-2-6-1-unauthenticated-stored-cross-site-scripting-xss-vulnerability"}, {"source": "audit@patchstack.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://wordpress.org/plugins/contact-form-cfdb7/#developers"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/contact-form-cfdb7/wordpress-contact-form-7-database-addon-cfdb7-plugin-1-2-6-1-unauthenticated-stored-cross-site-scripting-xss-vulnerability"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://wordpress.org/plugins/contact-form-cfdb7/#developers"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}