The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
We have discovered 1,350,975 live websites that are affected by CVE-2024-2242.
| Product | |
| Category | Form Builders |
| Vulnerable Domains | 1,350,975 live websites (38% of Contact Form 7 install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 103 versions ( 80% of all versions) |
| 253,855 websites | |
| 134,279 websites | |
| 131,512 websites | |
| 87,649 websites | |
| 78,425 websites | |
| 64,255 websites | |
| 53,559 websites | |
| 42,483 websites | |
| 42,252 websites | |
| 40,147 websites |
| .com | 518,006 websites |
| .de | 73,258 websites |
| .it | 54,575 websites |
| .ru | 51,984 websites |
| .org | 42,191 websites |
| .fr | 35,939 websites |
| .nl | 35,253 websites |
| .co.uk | 35,016 websites |
| .net | 34,145 websites |
| .pl | 32,172 websites |
| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.br | *** | ||
| ********.com | *,*** | ||
| ************.com | *,*** | ||
| *******.org | *,*** | ||
| *********.com | *,*** | ||
| ***************.com | *,*** | ||
| *********.com | *,*** | ||
| *****.****.br | *,*** | ||
| *********.com | *,*** | ||
| ********.****.br | *,*** |
FAQ