The Contact Form & SMTP Plugin for WordPress by PirateForms is widely used to implement contact forms and handle email submissions through SMTP. With over 50,000 active installations, this plugin offers a simple and efficient way to manage user inquiries. However, a critical vulnerability—CVE-2024-11273—has been discovered in the plugin, which allows for Stored Cross-Site Scripting (XSS) attacks. This flaw enables attackers to inject malicious JavaScript code into the plugin’s settings, leading to the creation of backdoors and allowing attackers to take over admin accounts.
| CVE | CVE-2024-11273 |
| Contact Form & SMTP Plugin for WordPress by PirateForms < 2.6.0 | |
| Critical | High |
| All Time | 3 744 231 |
| Active installations | 50 000+ |
| Publicly Published | March 11, 2025 |
| Last Updated | March 11, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11273 https://wpscan.com/vulnerability/d1049a83-1298-4c8c-aeac-0055110d38fb/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 7, 2024 | Plugin testing and vulnerability detection in the Contact Form & SMTP Plugin for WordPress by PirateForms have been completed |
| November 7, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 11, 2025 | Registered CVE-2024-11273 |
Discovery of the Vulnerability
The vulnerability was found in the plugin’s “Strings” settings, specifically within the “Subtext:” field. This field is used to add additional text for form descriptions or messages. The plugin fails to sanitize the input from users, allowing for the insertion of JavaScript code. When this input is stored and rendered on the page, the script is executed in the browser of any admin or editor who views the page, potentially allowing the attacker to hijack the admin’s session or escalate privileges.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a common vulnerability that allows attackers to inject malicious scripts into web pages, which are then executed in the browser of users who visit the affected page. WordPress, with its large plugin ecosystem, has been a frequent target for XSS vulnerabilities. In some real-world cases, such as CVE-2020-1429 in WPForms, XSS vulnerabilities have been exploited to gain access to admin accounts or execute malicious actions, such as redirecting users or stealing cookies. CVE-2024-11273 follows a similar pattern, where attackers can insert JavaScript into plugin settings and execute it later when administrators view the page.
Exploiting the XSS Vulnerability
To exploit CVE-2024-11273, an attacker with editor+ privileges:
POC:
Add a widget of the plugin. Change "Subtext:" field in "Strings" settings to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1)//> -> Save Settings -> Go to any post (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-11273 are significant. In a real-world scenario, an attacker could escalate their privileges from a low-level contributor to a full administrator. Once the attacker gains admin access, they could perform a variety of malicious actions, including installing backdoors, modifying or deleting content, and stealing sensitive information. The attacker could also inject further malicious scripts to compromise other users or escalate their attack. In the context of an e-commerce website, this could lead to the theft of customer data, unauthorized transactions, or even site defacement. For websites that rely on PirateForms to collect contact information, this vulnerability could also allow an attacker to hijack email communications or inject phishing links.
Recommendations for Improved Security
To mitigate the risks of CVE-2024-11273, users of the Contact Form & SMTP Plugin for WordPress by PirateForms should immediately update to the latest version of the plugin, which includes a fix for this vulnerability. Plugin developers should implement proper sanitization of all user inputs, especially in settings fields such as “Subtext:”, using WordPress functions like esc_html() and wp_kses() to ensure that no malicious code is executed. Additionally, site administrators should restrict access to sensitive plugin settings to trusted roles, such as admins, and conduct regular security audits. Enabling a Web Application Firewall (WAF) and using security plugins to scan for potential vulnerabilities can further protect against exploits like this one. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-11273, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.