The Contact Form & SMTP Plugin for WordPress by PirateForms is widely used to add customizable contact forms and SMTP email configurations to WordPress sites. With over 50,000 active installations, the plugin provides a convenient solution for website owners to manage user interactions. However, a critical vulnerability (CVE-2024-11272) has been discovered in the plugin that exposes WordPress sites to a serious security risk. The vulnerability allows attackers to inject malicious JavaScript into the plugin’s settings via the “Submit button” field. This can lead to account takeover, backdoor creation, and a wide range of other security risks.
| CVE | CVE-2024-11273 |
| Contact Form & SMTP Plugin for WordPress by PirateForms < 2.6.0 | |
| Critical | High |
| All Time | 3 744 231 |
| Active installations | 50 000+ |
| Publicly Published | March 11, 2025 |
| Last Updated | March 11, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11272 https://wpscan.com/vulnerability/d1049a83-1298-4c8c-aeac-0055110d38fb/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 7, 2024 | Plugin testing and vulnerability detection in the Contact Form & SMTP Plugin for WordPress by PirateForms have been completed |
| November 7, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 11, 2025 | Registered CVE-2024-11272 |
Discovery of the Vulnerability
The vulnerability was identified during testing of the PirateForms plugin, specifically in the plugin’s settings page (pirateforms-admin). The issue arises from the plugin’s failure to properly sanitize user input in the “Submit button” field. By allowing raw JavaScript code to be inserted into this field, the plugin inadvertently enables attackers to execute stored XSS attacks when an admin or other privileged user interacts with the form on the site. The malicious code is stored in the plugin’s settings and gets triggered when the form is rendered on the front end.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a common vulnerability in WordPress plugins, especially those that accept user inputs and display them on the website. XSS allows attackers to inject malicious scripts that are executed in the browser of users who view the affected page. In this particular case, an attacker with editor-level access can inject a script into the “Submit button” field of the plugin’s settings. Stored XSS vulnerabilities, like the one in CVE-2024-11272, are particularly dangerous because the injected script is stored in the server’s database and executed each time the page is loaded. In past vulnerabilities, like CVE-2019-8840, malicious XSS scripts were used to steal sensitive data, perform phishing attacks, or escalate privileges.
Exploiting the XSS Vulnerability
To exploit CVE-2024-11272, an attacker with editor+ privileges:
POC:
Go to settings of the plugin - 127.0.0.1/wordpress/wp-admin/admin.php?page=pirateforms-admin. Change "Submit button" field to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1)//> -> Save Settings -> Go to any post and put here "[pirate_forms]" (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The impact of CVE-2024-11272 is severe, particularly for WordPress websites that use the PirateForms plugin to handle user submissions. In a real-world scenario, an attacker can escalate from an editor or contributor role to an admin account by exploiting this vulnerability. Once the attacker gains admin privileges, they can perform a variety of malicious actions, such as installing malware, altering site content, stealing user data, or even defacing the site. In the case of e-commerce websites, the attacker could potentially steal customer information or perform fraudulent transactions. This type of attack can be used to inject malicious scripts that can persist across site interactions, potentially compromising the entire website’s security.
Recommendations for Improved Security
To mitigate the risks of CVE-2024-11272, users of the Contact Form & SMTP Plugin for WordPress by PirateForms should update the plugin to the latest version that addresses this vulnerability. Plugin developers should implement proper input sanitization and validation for all fields that display user-generated content, particularly fields like “Submit button” that may appear on the frontend. WordPress developers should use functions like esc_html() or wp_kses() to strip out any potentially harmful code. Additionally, administrators should restrict access to sensitive plugin settings and require that only trusted users, such as admins, can modify these settings. Regular security audits and the use of a Web Application Firewall (WAF) can further enhance the security of WordPress sites. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-11272, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.