关键信息 描述 漏洞类型: Authenticated Stored Cross-Site Scripting (XSS) 受影响的插件: Easy Contact Form Pro < 1.1.1.9 问题: 插件未正确对文本字段(如电子邮件主题、电子邮件收件人等)进行清理,导致经过身份验证的存储型XSS问题。 漏洞利用概念 (Proof of Concept) 利用方法: 作为作者、编辑或管理员,创建或编辑表单,并在“电子邮件主题”字段中添加以下payload: 参考资料 (References) CVE编号: CVE-2021-24168 ExploitDB编号: 49427 分类 (Classification) 漏洞类型: XSS OWASP Top 10: A7: Cross-Site Scripting (XSS) CWE编号: CWE-79 CVSS评分: 9.0 (critical) 其他信息 (Miscellaneous) 研究者: Rahul Ramakant Singh 验证: Yes WPVDB ID: bfaa7d79-904e-45f1-bc42-ddd90a65ce74 时间线 (Timeline) 公开发布: 2021-01-15 添加时间: 2021-01-15 最后更新: 2021-02-28 其他相关漏洞 (Other) WordPress Social Login <= 3.0.4 - Reflected XSS (2023-05-31) Content Repeater <= 1.1.13 - Admin+ Stored XSS (2022-11-25) Tutor LMS < 1.9.11 - Reflected Cross-Site Scripting (2021-10-19) WP-Thumbnail <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode (2025-10-21) Super Store Finder < 7.7 - Reflected Cross-Site Scripting (2025-08-21)