Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities by constantcontact
CVE-2026-3985 (GCVE-0-2026-3985)
Vulnerability from cvelistv5 – Published: 2026-05-20 01:25 – Updated: 2026-05-20 17:18
VLAI
Title
Creative Mail – Easier WordPress & WooCommerce Email Marketing <= 1.6.9 - Unauthenticated SQL Injection via 'checkout_uuid' Parameter
Summary
The Creative Mail – Easier WordPress & WooCommerce Email Marketing plugin for WordPress is vulnerable to SQL Injection via the 'checkout_uuid' parameter in all versions up to, and including, 1.6.9. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the `has_checkout_consent()` method. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| constantcontact | Creative Mail – Easier WordPress & WooCommerce Email Marketing |
Affected:
0 , ≤ 1.6.9
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3985",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T17:18:03.547690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T17:18:13.721Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Creative Mail \u2013 Easier WordPress \u0026 WooCommerce Email Marketing",
"vendor": "constantcontact",
"versions": [
{
"lessThanOrEqual": "1.6.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Creative Mail \u2013 Easier WordPress \u0026 WooCommerce Email Marketing plugin for WordPress is vulnerable to SQL Injection via the \u0027checkout_uuid\u0027 parameter in all versions up to, and including, 1.6.9. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the `has_checkout_consent()` method. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T01:25:47.803Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39c17935-a853-407f-a99d-3828561919e6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/creative-mail-by-constant-contact/tags/1.6.9/src/Managers/DatabaseManager.php#L298"
},
{
"url": "https://plugins.trac.wordpress.org/browser/creative-mail-by-constant-contact/trunk/src/Managers/DatabaseManager.php#L298"
},
{
"url": "https://plugins.trac.wordpress.org/browser/creative-mail-by-constant-contact/tags/1.6.9/src/Managers/CheckoutManager.php#L100"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-19T12:14:03.000Z",
"value": "Disclosed"
}
],
"title": "Creative Mail \u2013 Easier WordPress \u0026 WooCommerce Email Marketing \u003c= 1.6.9 - Unauthenticated SQL Injection via \u0027checkout_uuid\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3985",
"datePublished": "2026-05-20T01:25:47.803Z",
"dateReserved": "2026-03-11T14:46:25.631Z",
"dateUpdated": "2026-05-20T17:18:13.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-52208 (GCVE-0-2023-52208)
Vulnerability from cvelistv5 – Published: 2024-01-08 18:57 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress Constant Contact Forms Plugin <= 2.4.2 is vulnerable to Sensitive Data Exposure
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Constant Contact Constant Contact Forms.This issue affects Constant Contact Forms: from n/a through 2.4.2.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/con… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Constant Contact | Constant Contact Forms |
Affected:
n/a , ≤ 2.4.2
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:55:40.972Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/constant-contact-forms/wordpress-constant-contact-forms-plugin-2-4-2-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52208",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T18:43:48.340619Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T16:02:47.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "constant-contact-forms",
"product": "Constant Contact Forms",
"vendor": "Constant Contact",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Joshua Chan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Constant Contact Constant Contact Forms.\u003cp\u003eThis issue affects Constant Contact Forms: from n/a through 2.4.2.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Constant Contact Constant Contact Forms.This issue affects Constant Contact Forms: from n/a through 2.4.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:06.605Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/constant-contact-forms/wordpress-constant-contact-forms-plugin-2-4-2-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Constant Contact Forms Plugin \u003c= 2.4.2 is vulnerable to Sensitive Data Exposure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-52208",
"datePublished": "2024-01-08T18:57:39.694Z",
"dateReserved": "2023-12-29T12:26:03.424Z",
"dateUpdated": "2026-04-28T16:09:06.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-44740 (GCVE-0-2022-44740)
Vulnerability from cvelistv5 – Published: 2022-11-18 22:03 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress Creative Mail plugin <= 1.5.4 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
Summary
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Creative Mail plugin <= 1.5.4 on WordPress.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Constant Contact | Creative Mail (WordPress plugin) |
Affected:
<= 1.5.4 , ≤ 1.5.4
(custom)
|
Date Public
2022-10-28 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:01:31.206Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/creative-mail-by-constant-contact/wordpress-creative-mail-plugin-1-5-4-multiple-cross-site-request-forgery-csrf-vulnerabilities?_s_id=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/creative-mail-by-constant-contact/#developers"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-44740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:20:06.269990Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:51:20.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Creative Mail (WordPress plugin)",
"vendor": "Constant Contact",
"versions": [
{
"lessThanOrEqual": "1.5.4",
"status": "affected",
"version": "\u003c= 1.5.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Vlad Vector (Patchstack)"
}
],
"datePublic": "2022-10-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Creative Mail plugin \u003c= 1.5.4 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:51.721Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://patchstack.com/database/vulnerability/creative-mail-by-constant-contact/wordpress-creative-mail-plugin-1-5-4-multiple-cross-site-request-forgery-csrf-vulnerabilities?_s_id=cve"
},
{
"url": "https://wordpress.org/plugins/creative-mail-by-constant-contact/#developers"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.6.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Creative Mail plugin \u003c= 1.5.4 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-44740",
"datePublished": "2022-11-18T22:03:34.592Z",
"dateReserved": "2022-11-04T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:51.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-40687 (GCVE-0-2022-40687)
Vulnerability from cvelistv5 – Published: 2022-11-18 18:47 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress Creative Mail plugin <= 1.5.4 - Cross-Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Creative Mail plugin <= 1.5.4 on WordPress.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Constant Contact | Creative Mail (WordPress plugin) |
Affected:
<= 1.5.4 , ≤ 1.5.4
(custom)
|
Date Public
2022-10-28 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:21:46.609Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/creative-mail-by-constant-contact/wordpress-creative-mail-easier-wordpress-woocommerce-email-marketing-plugin-1-5-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-40687",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:20:28.105473Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:52:41.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Creative Mail (WordPress plugin)",
"vendor": "Constant Contact",
"versions": [
{
"lessThanOrEqual": "1.5.4",
"status": "affected",
"version": "\u003c= 1.5.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Muhammad Daffa (Patchstack Alliance)"
}
],
"datePublic": "2022-10-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Creative Mail plugin \u003c= 1.5.4 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:47.994Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://patchstack.com/database/vulnerability/creative-mail-by-constant-contact/wordpress-creative-mail-easier-wordpress-woocommerce-email-marketing-plugin-1-5-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.6.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Creative Mail plugin \u003c= 1.5.4 - Cross-Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-40687",
"datePublished": "2022-11-18T18:47:19.961Z",
"dateReserved": "2022-10-19T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:47.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-40686 (GCVE-0-2022-40686)
Vulnerability from cvelistv5 – Published: 2022-11-18 18:38 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress Creative Mail plugin <= 1.5.4 - Cross-Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Creative Mail plugin <= 1.5.4 on WordPress.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Constant Contact | Creative Mail (WordPress plugin) |
Affected:
<= 1.5.4 , ≤ 1.5.4
(custom)
|
Date Public
2022-10-28 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:21:46.591Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/creative-mail-by-constant-contact/wordpress-creative-mail-plugin-1-5-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-40686",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:20:34.514060Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:52:56.803Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Creative Mail (WordPress plugin)",
"vendor": "Constant Contact",
"versions": [
{
"lessThanOrEqual": "1.5.4",
"status": "affected",
"version": "\u003c= 1.5.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Muhammad Daffa (Patchstack Alliance)"
}
],
"datePublic": "2022-10-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Creative Mail plugin \u003c= 1.5.4 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:48.730Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://patchstack.com/database/vulnerability/creative-mail-by-constant-contact/wordpress-creative-mail-plugin-1-5-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.6.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Creative Mail plugin \u003c= 1.5.4 - Cross-Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-40686",
"datePublished": "2022-11-18T18:38:45.709Z",
"dateReserved": "2022-10-19T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:48.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-24134 (GCVE-0-2021-24134)
Vulnerability from cvelistv5 – Published: 2021-03-18 14:57 – Updated: 2024-08-03 19:21
VLAI
Title
Constant Contact Forms < 1.8.8 - Multiple Authenticated Stored XSS
Summary
Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user (Editor+) to inject arbitrary JavaScript code or HTML in posts where the malicious form is embed.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/8f3cca92-d072-48… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Constant Contact Forms |
Affected:
1.8.8 , < 1.8.8
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.263Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/8f3cca92-d072-4806-9142-7f1a987f840b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Constant Contact Forms",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.8.8",
"status": "affected",
"version": "1.8.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user (Editor+) to inject arbitrary JavaScript code or HTML in posts where the malicious form is embed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-18T14:57:49.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/8f3cca92-d072-4806-9142-7f1a987f840b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Constant Contact Forms \u003c 1.8.8 - Multiple Authenticated Stored XSS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24134",
"STATE": "PUBLIC",
"TITLE": "Constant Contact Forms \u003c 1.8.8 - Multiple Authenticated Stored XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Constant Contact Forms",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.8",
"version_value": "1.8.8"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user (Editor+) to inject arbitrary JavaScript code or HTML in posts where the malicious form is embed."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/8f3cca92-d072-4806-9142-7f1a987f840b",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/8f3cca92-d072-4806-9142-7f1a987f840b"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24134",
"datePublished": "2021-03-18T14:57:49.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:21:18.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}