CVE-2021-24247

MEDIUM

Contact Form Check Tester < 1.0.2 - Stored Cross-Site Scripting via Plugin Settings

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-24247. PoCs published by 0xB9.

AI-analyzed exploit summary This exploit describes a Broken Access Control vulnerability in WordPress Plugin Contact Form Check Tester 1.0.2, allowing registered users to inject XSS payloads into plugin settings. The payload executes when other users visit the settings page.

Description

The Contact Form Check Tester WordPress plugin through 1.0.2 settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege escalation. The vendor decided to close the plugin.

Exploits (1)

exploitdb WRITEUP
by 0xB9 · textwebappsphp
https://www.exploit-db.com/exploits/50703

This exploit describes a Broken Access Control vulnerability in WordPress Plugin Contact Form Check Tester 1.0.2, allowing registered users to inject XSS payloads into plugin settings. The payload executes when other users visit the settings page.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin Contact Form Check Tester 1.0.2
Auth required
Prerequisites: Registered user account on the WordPress site
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://wpscan.com/vulnerability/e2990a7a-d4f0-424e-b01d-ecf67cf9c9f3

Scores

CVSS v3 5.4
EPSS 0.0470
EPSS Percentile 90.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
mooveagency/contact_form_check_tester < 1.0.2
Published May 06, 2021
Tracked Since Feb 18, 2026