CVEs-PoC/2021/CVE-2021-25080.md

### [CVE-2021-25080](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25080)
![](https://img.shields.io/static/v1?label=Product&message=Contact%20Form%20Entries%20%E2%80%93%20Contact%20Form%207%2C%20WPforms%20and%20more&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=1.1.7%3C%201.1.7%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-79%20Cross-site%20Scripting%20(XSS)&color=brighgreen)

### Description

The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry

### POC

#### Reference
- https://wpscan.com/vulnerability/acd3d98a-aab8-49be-b77e-e8c6ede171ac

#### Github
- https://github.com/ARPSyndicate/cvemon