CVE-2024-2242

MEDIUM

Contact Form 7 <= 5.9 - Reflected Cross-Site Scripting via Active-Tab Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-2242. PoCs published by RandomRobbieBF.

AI-analyzed exploit summary The repository contains a functional proof-of-concept for CVE-2024-2242, demonstrating a reflected XSS vulnerability in Contact Form 7 <= 5.9 via the 'active-tab' parameter. The PoC includes an HTML form that submits a crafted payload to trigger the XSS when an admin clicks the link.

Description

The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Exploits (1)

nomisec WORKING POC

by RandomRobbieBF · poc

https://github.com/RandomRobbieBF/CVE-2024-2242

View Code ZIP pw:eip

The repository contains a functional proof-of-concept for CVE-2024-2242, demonstrating a reflected XSS vulnerability in Contact Form 7 <= 5.9 via the 'active-tab' parameter. The PoC includes an HTML form that submits a crafted payload to trigger the XSS when an admin clicks the link.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Contact Form 7 WordPress plugin <= 5.9

No auth needed

Prerequisites: Knowledge of the post ID where the form is located · User interaction (admin clicks the link)

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Broken Link

https://plugins.trac.wordpress.org/changeset/3049594/contact-form-7/trunk/admin/edit-contact-form.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/d5bf4972-424a-4470-a0bc-7dcc95378e0e?source=cve

Scores

CVSS v3 6.1

EPSS 0.0130

EPSS Percentile 66.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

rocklobster/contact_form_7 < 5.9.2

rocklobsterinc/Contact Form 7 < 5.9

Published Mar 13, 2024

Tracked Since Feb 18, 2026