{"id":"CVE-2024-10471","details":"The Everest Forms  WordPress plugin before 3.0.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).","modified":"2026-04-10T05:08:06.962701Z","published":"2024-11-26T06:15:07.520Z","references":[{"type":"EVIDENCE","url":"https://wpscan.com/vulnerability/85d590c9-c96d-40c9-aa59-48302ba3d63c/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wpeverest/everest-forms","events":[{"introduced":"0"},{"fixed":"b38d199bc618f90035904a537d7e0d52ccf61466"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.0.4.2"}]}}],"versions":["1.0.0","1.0.1","1.0.2","1.1.0","1.1.0-rc.1","1.1.3","1.1.4","1.2.0","1.2.0-rc.1","1.3.0","1.3.2","1.3.4","1.4.0","1.4.0-beta","1.4.0-beta2","1.4.0-beta3","1.4.0-beta4","1.4.0-beta5","1.4.0-beta6","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.8","1.4.9","1.5.0","1.5.1","1.5.10","1.5.2","1.5.4","1.5.5","1.5.6","1.5.7","1.5.8","1.5.9","1.6.0","1.6.1","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.6.1","1.6.7","1.7.0","1.7.0.1","1.7.0.2","1.7.0.3","1.7.1","1.7.2","1.7.2.1","1.7.2.2","1.7.3","1.7.4","1.7.5","1.7.5.1","1.7.5.2","1.7.6","1.7.7","1.7.7.1","1.7.7.2","1.7.8","1.7.9","1.8.0","1.8.0.1","1.8.1","1.8.2","1.8.2.1","1.8.2.2","1.8.2.3","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.8.8","1.8.9","1.9.0","1.9.0.1","1.9.1","1.9.2","1.9.3","1.9.4","1.9.4.1","1.9.5","1.9.6","1.9.7","1.9.8","1.9.9","2.0.0","2.0.0.1","2.0.1","2.0.3","2.0.3.1","2.0.5","2.0.6","2.0.7","2.0.8","2.0.8.1","2.0.9","3.0.0","3.0.0.1","3.0.1","3.0.2","3.0.3","3.0.3.1","3.0.4","3.0.4.1","v1.4.0-beta"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-10471.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}]}