CVE-2024-53860
CVSS 3.1 Score 8.6 of 10 (high)
Details
Summary
CVE-2024-53860 affects the sp-php-email-handler PHP package, which is used for handling contact form submissions. The vulnerability allows attackers to specify arbitrary email recipients and include user-provided content in confirmation emails. This could result in the server being used to send spam, phishing emails, or other malicious content, potentially damaging the domain's reputation and leading to email provider blacklisting. Version 1.0.0 of the package has addressed this issue by removing user-provided content from confirmation emails. Pre-release versions (alpha and beta) are vulnerable and should not be used. There are currently no workarounds, and users must upgrade to version 1.0.0 to mitigate the vulnerability.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.