{"id":"CVE-2021-24907","details":"The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue","modified":"2026-04-10T04:30:54.850075Z","published":"2021-12-21T09:15:07.140Z","references":[{"type":"EVIDENCE","url":"https://wpscan.com/vulnerability/56dae1ae-d5d2-45d3-8991-db69cc47ddb7"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wpeverest/everest-forms","events":[{"introduced":"0"},{"fixed":"6612f9c83b8542b0f4468a2894d95c38e2595c51"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.8.0"}]}}],"versions":["1.0.0","1.0.1","1.0.2","1.1.0","1.1.0-rc.1","1.1.3","1.1.4","1.2.0","1.2.0-rc.1","1.3.0","1.3.2","1.3.4","1.4.0","1.4.0-beta","1.4.0-beta2","1.4.0-beta3","1.4.0-beta4","1.4.0-beta5","1.4.0-beta6","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.8","1.4.9","1.5.0","1.5.1","1.5.10","1.5.2","1.5.4","1.5.5","1.5.6","1.5.7","1.5.8","1.5.9","1.6.0","1.6.1","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.6.1","1.6.7","1.7.0","1.7.0.1","1.7.0.2","1.7.0.3","1.7.1","1.7.2","1.7.2.1","1.7.2.2","1.7.3","1.7.4","1.7.5","1.7.5.1","1.7.5.2","1.7.6","1.7.7","1.7.7.1","1.7.7.2","1.7.8","1.7.9","v1.4.0-beta"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-24907.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}