CVE-2021-42361: 
WordPress vulnerability analysis and mitigation

The Contact Form Email WordPress plugin (versions up to 1.3.24) contained a Stored Cross-Site Scripting vulnerability (CVE-2021-42361) discovered in November 2021. The vulnerability was found in the name parameter within the ~/trunk/cp-admin-int-list.inc.php file, affecting multi-site installations where unfilteredhtml is disabled for administrators, and sites where unfilteredhtml is disabled (NVD, WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue due to insufficient input validation and escaping mechanisms. It received a CVSS v3.1 Base Score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating that it requires high privileges and user interaction to exploit (Wordfence).

The vulnerability allows attackers with administrative user access to inject arbitrary web scripts into the application. This particularly affects WordPress installations where the unfiltered_html capability is disabled for administrators in multi-site setups or on single sites (NVD).

The vulnerability was patched in version 1.3.25 of the Contact Form Email plugin with additional field sanitization. Users should update to this version or later to protect against this security issue (WordPress Plugin Repository).